[whatwg] <input type="password">... restrict reading value from JS?

How about deleting the value if the input type is changed away from the
secure password input type AND that the secure password can only be
submitted to a similar URI.

Am 10.07.2011, 12:44 Uhr, schrieb Alex Vincent <ajvincent at gmail.com>:

> On Sun, Jul 10, 2011 at 3:21 AM, Michal Zalewski  
> <lcamtuf at coredump.cx>wrote:
>
>> > For the last 10+ years, password inputs have been accessible from
>> scripts,
>> > with nary a complaint.  If I have this code:
>>
>> Unfortunately, the problem is not that easy to fix: denying access to
>> the field does not prevent the attacker from changing the form
>> submission URL after autocompletion to achieve the same...
>
>
> Or even simpler, changing the type attribute to something like "hidden"  
> for
> an instant.
>
> I hate it when I don't think things through.
>


-- 
Erstellt mit Operas revolution?rem E-Mail-Modul: http://www.opera.com/mail/

Received on Sunday, 10 July 2011 07:03:30 UTC