- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Sun, 10 Jul 2011 12:17:39 -0700
> How about deleting the value if the input type is changed away from the > secure password input type AND that the secure password can only be > submitted to a similar URI. Right now, for interoperability, password managers allow a good amount of fuzziness when matching forms, and I do not believe they pay a lot of attention to form method, allow the URL and fields to change slightly, etc. So it's hard to tell an XSS-injected password form from the real deal. Instead of a complicated technical solution, some browsers require a distinctive user gesture before autocompleting login forms. But then, other vendors believe that this is unacceptable from usability perspective. /mz
Received on Sunday, 10 July 2011 12:17:39 UTC