W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2011

[whatwg] <input type="password">... restrict reading value from JS?

From: Alex Vincent <ajvincent@gmail.com>
Date: Sun, 10 Jul 2011 03:44:53 -0700
Message-ID: <CAEZ8441quqLJ1X=f=eK77cjJvyeKauW9151HJ7a7bxKq=35WOg@mail.gmail.com>
On Sun, Jul 10, 2011 at 3:21 AM, Michal Zalewski <lcamtuf at coredump.cx>wrote:

> > For the last 10+ years, password inputs have been accessible from
> scripts,
> > with nary a complaint.  If I have this code:
>
> Unfortunately, the problem is not that easy to fix: denying access to
> the field does not prevent the attacker from changing the form
> submission URL after autocompletion to achieve the same...


Or even simpler, changing the type attribute to something like "hidden" for
an instant.

I hate it when I don't think things through.

-- 
"The first step in confirming there is a bug in someone else's work is
confirming there are no bugs in your own."
-- Alexander J. Vincent, June 30, 2001
Received on Sunday, 10 July 2011 03:44:53 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:34 UTC