W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2014

Re: [whatwg] Proposal: Write-only submittable form-associated controls.

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Wed, 15 Oct 2014 07:41:50 -0700
Message-ID: <CALx_OUAZ=2ao2+_rt7BO=+jrnmUPXz8-ocnALXS4q_H+LUSLvw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: WHAT Working Group Mailing List <whatwg@whatwg.org>, Jonas Sicking <jonas@sicking.cc>
>     <input writeonly type="password">

I think that one huge problem with this is that the attacker will have
many other, indirect ways to get the value even if you protect direct
access to the field. Two most obvious options include:

1) Change the action value for the form to point to evil.com, where
evil.com is in attacker's control,

2) Change the action of the form to GET while keeping the same method,
let it submit, and then examine location.search.

3) Change the action value of the form and the name of the password
field so that the posted data is interpreted by the server as an
attempt to, say, post a comment.

I worry that there's actually more, and that a lot of nasty "taint
tracking" heuristics would be required to make it go away.

/mz
Received on Wednesday, 15 October 2014 14:45:09 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:24 UTC