- From: Jonas Sicking <jonas@sicking.cc>
- Date: Thu, 12 Dec 2013 14:12:10 -0800
- To: Joel Weinberger <jww@chromium.org>
- Cc: Webapps WG <public-webapps@w3.org>
On Thu, Dec 12, 2013 at 2:03 PM, Joel Weinberger <jww@chromium.org> wrote: > On Thu, Dec 12, 2013 at 1:57 PM, Jonas Sicking <jonas@sicking.cc> wrote: >> On Thu, Dec 12, 2013 at 1:45 PM, Joel Weinberger <jww@chromium.org> wrote: >> >> But it would suck if the result is that they create their own form >> >> fields using <div>s and/or contenteditable. >> > >> > That's true, although some things like that are already pretty prevalent >> > so >> > we've come up with decent heuristics for detecting them. In the end, >> > though, >> > they always can try obfuscation, but we think that this will, in fact, >> > benefit their users. >> >> Whether it benefits users or not is unfortunately less relevant than >> whether websites thinks that it benefits users. Since if they don't >> think it does, we'll end up in an escalating war of browsers and >> websites working around each other. > > I'm not sure if I entirely agree. This is a feature (or anti-feature, > depending on your perspective :-) that has been touted as "good security" > for quite some time (in fact, the W3C spec specifically calls it out in that > regard). > > I have some hope, perhaps misplaced, that if we change it and say, "hey, > this is actually really bad for users," at least some developers will get > it. Some won't, and they'll obfuscate, but any improvement in the number of > people who are able to use password managers is a Good Thing. I definitely agree with you here. I'm all for changing the spec to say "this is bad for security". It'll definitely sway some authors. But unlikely to sway everyone. / Jonas
Received on Thursday, 12 December 2013 22:13:08 UTC