- From: Alan Egerton <eggyal@gmail.com>
- Date: Wed, 13 Jun 2012 18:51:00 +0100
- To: public-html-comments@w3.org
Looking over <http://dev.w3.org/html5/spec/the-keygen-element.html>, what is there to prevent a client-side script from removing the keygen element from the DOM and replacing it with an attacker's key? One presumes that the "challenge" attribute was intended to overcome such threats, but the malicious script can read the challenge value and generate/sign its own key accordingly. Perhaps the browser should provide keys generated by <keygen> to the server in an HTTP header that cannot be accessed/manipulated by client-side script? -- Alan
Received on Thursday, 14 June 2012 09:17:08 UTC