Resource Timing "name" capturing basic auth credentials for XHR requests. from Nick Niemeir on 2015-01-24 (public-web-perf@w3.org from January 2015)

From: Nick Niemeir <nniemeir@newrelic.com>
Date: Fri, 23 Jan 2015 17:18:44 -0800
To: public-web-perf@w3.org
Message-ID: <CANEpQ8a0Onhthur7hc_uxhJKdh5xa9HWX9GP9+91Y=K032dsXQ@mail.gmail.com>

For a quick example go to https://httpbin.org/ and try this out in the
console:

```
var xhr = new XMLHttpRequest();
xhr.open('GET', 'https://foo:bar@httpbin.org/basic-auth/foo/bar');
xhr.send();
setTimeout(function () { alert('Your password is: ' +

performance.getEntriesByType('resource').pop().name.split('@')[0].split(':').pop()
)}, 500);
```

Using basic auth may not be a great idea, but people still do,
inadvertently exposing passwords to other javascript on their pages.

Received on Monday, 26 January 2015 13:23:55 UTC