W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2011

[whatwg] <input type="password">... restrict reading value from JS?

From: Dennis Joachimsthaler <dennis@efjot.de>
Date: Sun, 10 Jul 2011 16:03:30 +0200
Message-ID: <op.vyepb4t948yz2f@dennis-laptop.speedport-w-303v-typ-a>
How about deleting the value if the input type is changed away from the
secure password input type AND that the secure password can only be
submitted to a similar URI.

Am 10.07.2011, 12:44 Uhr, schrieb Alex Vincent <ajvincent at gmail.com>:

> On Sun, Jul 10, 2011 at 3:21 AM, Michal Zalewski  
> <lcamtuf at coredump.cx>wrote:
>
>> > For the last 10+ years, password inputs have been accessible from
>> scripts,
>> > with nary a complaint.  If I have this code:
>>
>> Unfortunately, the problem is not that easy to fix: denying access to
>> the field does not prevent the attacker from changing the form
>> submission URL after autocompletion to achieve the same...
>
>
> Or even simpler, changing the type attribute to something like "hidden"  
> for
> an instant.
>
> I hate it when I don't think things through.
>


-- 
Erstellt mit Operas revolution?rem E-Mail-Modul: http://www.opera.com/mail/
Received on Sunday, 10 July 2011 07:03:30 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:34 UTC