- From: Nick Niemeir <nniemeir@newrelic.com>
- Date: Fri, 23 Jan 2015 17:18:44 -0800
- To: public-web-perf@w3.org
Received on Monday, 26 January 2015 13:23:55 UTC
For a quick example go to https://httpbin.org/ and try this out in the console: ``` var xhr = new XMLHttpRequest(); xhr.open('GET', 'https://foo:bar@httpbin.org/basic-auth/foo/bar'); xhr.send(); setTimeout(function () { alert('Your password is: ' + performance.getEntriesByType('resource').pop().name.split('@')[0].split(':').pop() )}, 500); ``` Using basic auth may not be a great idea, but people still do, inadvertently exposing passwords to other javascript on their pages.
Received on Monday, 26 January 2015 13:23:55 UTC