W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2011

[whatwg] <input type="password">... restrict reading value from JS?

From: Aryeh Gregor <Simetrical+w3c@gmail.com>
Date: Mon, 11 Jul 2011 14:31:57 -0400
Message-ID: <CAKA+AxntHAU7YNzeGEDxCOzGGbfmZn4xjFfCfwMui6=n1VYY4Q@mail.gmail.com>
On Mon, Jul 11, 2011 at 9:29 AM, Sean Connelly <sean at pbwhere.com> wrote:
> As a web developer, if I wanted access to the password, I would then avoid
> using the <input type="password"> field, and create my own field that reads
> characters (perhaps via onkeyup), and fakes a password field visually.

Then browsers wouldn't autofill it, which would defeat the nastiest
attack here (stealing passwords without user intervention).  But as
noted, you can always submit the form, so it really doesn't help that
much anyway.
Received on Monday, 11 July 2011 11:31:57 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:34 UTC