W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2018

Not expose credentials under Credential Management to JS?

From: John Wilander <wilander@apple.com>
Date: Mon, 12 Feb 2018 21:21:27 -0800
Message-id: <AB7BA407-0EBA-48D0-ADC2-CBB1F7310F1C@apple.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi again WebAppSec!

Not exposing credentials under Credential Management to JavaScript was discussed briefly at TPAC. Both Apple and Mozilla raised concerns.
https://www.w3.org/2017/11/06-webappsec-minutes.html#item06 <https://www.w3.org/2017/11/06-webappsec-minutes.html#item06>

Since then we’ve learnt more about trackers exfiltrating credentials in the wild:
https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/ <https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/>

… and web analytics accidentally exfiltrating passwords:
https://techcrunch.com/2018/02/05/mixpanel-passwords/ <https://techcrunch.com/2018/02/05/mixpanel-passwords/>

In addition, several of us are debating the dangers of non-SRI 3rd-party scripts on the Twitters.

In light of these things, I would like to revisit the decision to expose credentials under Credential Management to JavaScript. If we could block them we could offer safer and more convenient logins than today. How do we get there?

   Regards, John
Received on Tuesday, 13 February 2018 05:27:13 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 13 February 2018 05:27:15 UTC