- From: Jake Archibald via GitHub <sysbot+gh@w3.org>
- Date: Sat, 10 Mar 2018 14:30:35 +0000
- To: public-css-archive@w3.org
> Sending password from server or setting it in additional parameters like React.js (a synonym of nuclear reactor) is very bad practice. Sending passwords is bad because it suggests they're storing raw passwords. The sending of personal data over a secure connection isn't inherently bad, else how would you read your emails? What React's doing isn't inherently bad either. The web guarantees the safety of the origin model. The thing at fault is the person whole reduced the security of the origin model by trusting third party items that were not trustworthy. > I think additionally, the value (in HTML) for <input type="password"/> should be deprecated like for files in the past. These things aren't the same. The data that was removed from the file input was also removed from the data sent to the server. I assume you aren't suggesting that password values should be blocked from the server too 😀. If browser implemented what you're suggesting, attackers could just use a regular text input and use a font to make it look masked like a password field. -- GitHub Notification of comment by jakearchibald Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/2426#issuecomment-372034145 using your GitHub account
Received on Saturday, 10 March 2018 14:30:37 UTC