W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2018

Re: Proposal: https://example.com/.well-known/modify-credentials

From: Jeff Goldberg <jeff@agilebits.com>
Date: Fri, 6 Apr 2018 13:41:16 -1000
Message-Id: <5F74FE68-3081-48A0-93A8-38D488BC09B5@agilebits.com>
To: public-webappsec@w3.org
>  Maybe we have password manager folks on the list already? Would this well-known location be useful to you?


What I like about this particular proposal is that it places much less burden on site developers than other proposals that have been made over the years. In a sense, this is less ambitious than other schemes but has a much greater chance of success.

There are two uses I foresee.

1. The obvious one is when we recommend that users change a password that we can help direct them to the right resource to do so.

2. We also have a bunch of code in place to help guess whether someone has submitted a form which is a login form, a signup form, or a password change form. Making use of the information in /.well-known/modify-credentials can give us a big hint to work into our heuristics. 



Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits

Received on Monday, 9 April 2018 08:32:02 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:55:03 UTC