W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2018

Re: Not expose credentials under Credential Management to JS?

From: Jochen Eisinger <eisinger@google.com>
Date: Tue, 20 Feb 2018 16:33:01 +0000
Message-ID: <CALjhuie0v8wrL-GwO5+j=KRFAgRcuEpdLph-MDYHaXn48HqB_w@mail.gmail.com>
To: John Wilander <wilander@apple.com>
Cc: Craig Francis <craig.francis@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I left TPAC with the impression that there was no implementor interest. Has
this changed?

John Wilander <wilander@apple.com> schrieb am Mi., 14. Feb. 2018, 01:02:

> On Feb 13, 2018, at 2:21 AM, Craig Francis <craig.francis@gmail.com>
> wrote:
>
> I believe Mike West has done some work related to this:
>
> http://mikewest.github.io/credentialmanagement/writeonly/
>
> Personally I'd love to use the @writeonly attribute on other fields as
> well - e.g. hidden input for a CSRF token; or applying it to to all fields
> when JavaScript does not need to touch the data.
>
>
> Thanks, Craig!
>
> Mike, do you intend to incorporate write-only elements in CM? Would they
> be required for CM to work or would they be opt-in?
>
> Any other thoughts on this issue?
>
>    Regards, John
>
>
>
> On 13 Feb 2018, at 05:21, John Wilander <wilander@apple.com> wrote:
>
> Hi again WebAppSec!
>
> Not exposing credentials under Credential Management to JavaScript was
> discussed briefly at TPAC. Both Apple and Mozilla raised concerns.
> https://www.w3.org/2017/11/06-webappsec-minutes.html#item06
>
> Since then we’ve learnt more about trackers exfiltrating credentials in
> the wild:
>
> https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/
>
> … and web analytics accidentally exfiltrating passwords:
> https://techcrunch.com/2018/02/05/mixpanel-passwords/
>
> In addition, several of us are debating the dangers of non-SRI 3rd-party
> scripts on the Twitters.
>
> In light of these things, I would like to revisit the decision to expose
> credentials under Credential Management to JavaScript. If we could block
> them we could offer safer and more convenient logins than today. How do we
> get there?
>
>    Regards, John
>
>
>
>
Received on Tuesday, 20 February 2018 16:34:10 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 20 February 2018 16:34:11 UTC