W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2018

Re: Proposal: https://example.com/.well-known/modify-credentials

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 5 Apr 2018 09:38:29 +1000
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-Id: <9A06A602-275C-4093-ABD9-E74AD37DADE4@mnot.net>
To: John Wilander <wilander@apple.com>

>> We don’t want to cache or save specific locations since they may get stale, stateful things tend to become tracking vectors, and an HTML element sounds like a phishing injection vector.

Thinking about this more -- I'm not sure why this merits a well-known location. Everything else that the password manager knows about the login interface, it gets from the login page, correct? If so, it seems like putting this information there doesn't introduce any new security issues (since an XSS, etc. there is going to compromise the account anyway). 

Tracking doesn't seem like a relevant concern -- as long as the user has an account at the site, that's a far easier way to track the users' activity.

Again, not against using a well-known location on principle here, just curious as to why a new mechanism is needed here.

Cheers,


--
Mark Nottingham   https://www.mnot.net/
Received on Wednesday, 4 April 2018 23:40:18 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 4 April 2018 23:40:18 UTC