On Thu, Feb 2, 2012 at 10:43 PM, Charles Pritchard <chuck@jumis.com> wrote:
> **
> On 2/2/12 10:27 PM, Ryosuke Niwa wrote:
>
> On Thu, Feb 2, 2012 at 10:20 PM, Charles Pritchard <chuck@jumis.com>wrote:
>>
>> Seems like a very minor risk for high security sites, e.g. banking, in
>> identifying form elements.
>> In the spirit of giving it some thought:
>>
>
> But even for those websites, what could input / textarea elements can
> reveal more than what user sees?
>
> Many sites use <input hidden> elements with what are essentially image
> maps for entering a PIN.
>
But any element with display:none will be removed so <input hidden> should
be removed.
It's becoming more common that top level domains are being restricted or
> redirected to country codes. It seems plausible that domains may further be
> restricted to HTTPS (SSL) signatures. Going further, sites may be
> restricted to those which serve appropriate security headers against XSS
> attacks. Disabling the "copy" mechanism for any portion of a site does risk
> censorship. But, we are only examining high security portions of high
> security sites, such as <input hidden> and <input type=password>.
>
input[type=password] is a good one. We should probably get rid of the value
in that case?
- Ryosuke