W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2018

Re: Not expose credentials under Credential Management to JS?

From: Mike West <mkwst@google.com>
Date: Tue, 20 Feb 2018 18:05:27 +0100
Message-ID: <CAKXHy=fcYxyceM2n+iK1f6ASoNiQmM5YyFg_mbQwhBY9jKaHhA@mail.gmail.com>
To: Jochen Eisinger <eisinger@google.com>, Daniel Bates <dbates@webkit.org>
Cc: John Wilander <wilander@apple.com>, Craig Francis <craig.francis@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I recall it being more of an open question.

I believe we decided that I'd split the credential management spec into an
API framework on the one hand, and PasswordCredential/FederatedCredential
on the other (that's currently blocked on finishing
https://github.com/w3c/webappsec-credential-management/pull/100). There
seemed to be some interest in iterating on the latter, and I recall Daniel
Bates being interested in exploring more esoteric mechanisms
(zero-knowledge proofs, etc).

I'll add it to the agenda for tomorrow's call. I do think it's worth
talking about in more detail if folks are interested in doing so.

-mike

On Tue, Feb 20, 2018 at 5:33 PM, Jochen Eisinger <eisinger@google.com>
wrote:

> I left TPAC with the impression that there was no implementor interest.
> Has this changed?
>
> John Wilander <wilander@apple.com> schrieb am Mi., 14. Feb. 2018, 01:02:
>
>> On Feb 13, 2018, at 2:21 AM, Craig Francis <craig.francis@gmail.com>
>> wrote:
>>
>> I believe Mike West has done some work related to this:
>>
>> http://mikewest.github.io/credentialmanagement/writeonly/
>>
>> Personally I'd love to use the @writeonly attribute on other fields as
>> well - e.g. hidden input for a CSRF token; or applying it to to all fields
>> when JavaScript does not need to touch the data.
>>
>>
>> Thanks, Craig!
>>
>> Mike, do you intend to incorporate write-only elements in CM? Would they
>> be required for CM to work or would they be opt-in?
>>
>> Any other thoughts on this issue?
>>
>>    Regards, John
>>
>>
>>
>> On 13 Feb 2018, at 05:21, John Wilander <wilander@apple.com> wrote:
>>
>> Hi again WebAppSec!
>>
>> Not exposing credentials under Credential Management to JavaScript was
>> discussed briefly at TPAC. Both Apple and Mozilla raised concerns.
>> https://www.w3.org/2017/11/06-webappsec-minutes.html#item06
>>
>> Since then we’ve learnt more about trackers exfiltrating credentials in
>> the wild:
>> https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-
>> user-identities-web-trackers-exploit-browser-login-managers/
>>
>> … and web analytics accidentally exfiltrating passwords:
>> https://techcrunch.com/2018/02/05/mixpanel-passwords/
>>
>> In addition, several of us are debating the dangers of non-SRI 3rd-party
>> scripts on the Twitters.
>>
>> In light of these things, I would like to revisit the decision to expose
>> credentials under Credential Management to JavaScript. If we could block
>> them we could offer safer and more convenient logins than today. How do we
>> get there?
>>
>>    Regards, John
>>
>>
>>
>>
Received on Tuesday, 20 February 2018 17:06:18 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 20 February 2018 17:06:19 UTC