- From: Theresa O'Connor <hober@apple.com>
- Date: Wed, 06 May 2020 06:43:48 -0700
- To: tag 636 <tag636@gmail.com>
- Cc: "Oda, Terri" <terri.oda@intel.com>, Mike West <mkwst@google.com>, Web Application Security Working Group <public-webappsec@w3.org>, Ricky Mondello <rmondello@apple.com>
Hi, > I am also concerning that draft is not considering 3rd level domains > take over and how an attacker could advertise a password change URL to > get a Beef kind of hooking of clients in a bot fashion. Would changing the spec to always use the registrable domain in the URL address your concern? I've filed https://github.com/WICG/change-password-url/issues/20 to track this. Tess
Received on Wednesday, 6 May 2020 13:44:09 UTC