- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Wed, 15 Oct 2014 07:41:50 -0700
- To: Mike West <mkwst@google.com>
- Cc: WHAT Working Group Mailing List <whatwg@whatwg.org>, Jonas Sicking <jonas@sicking.cc>
> <input writeonly type="password"> I think that one huge problem with this is that the attacker will have many other, indirect ways to get the value even if you protect direct access to the field. Two most obvious options include: 1) Change the action value for the form to point to evil.com, where evil.com is in attacker's control, 2) Change the action of the form to GET while keeping the same method, let it submit, and then examine location.search. 3) Change the action value of the form and the name of the password field so that the posted data is interpreted by the server as an attempt to, say, post a comment. I worry that there's actually more, and that a lot of nasty "taint tracking" heuristics would be required to make it go away. /mz
Received on Wednesday, 15 October 2014 14:45:09 UTC