- From: Richard Schwerdtfeger <richschwer@gmail.com>
- Date: Wed, 22 Jun 2016 13:02:30 -0500
- To: public-apa@w3.org
The ARIA review of the password role has uncovered a security hole in some browsers that provide for an object viewer that can show the value of the password field event though it is obvuscated or “masked.” This allows for a person to open up the browser on someone’s machine, go to a site, have the password automatically filled, and then use the object inspector to view the value of the password. Mozilla, was one browser that is doing this. It MUST be a failure in the implementation of HTML 5.1 to allow this - including earlier versions of HTML. I don’t know how many browsers do this. Rich
Received on Wednesday, 22 June 2016 18:03:03 UTC