- From: Eduardo' Vela\ <evn@google.com>
- Date: Thu, 16 Oct 2014 10:36:16 +0200
- To: Mike West <mkwst@google.com>
- Cc: WHAT Working Group Mailing List <whatwg@whatwg.org>
1. How are keyup/down/press restrictions useful for password protection? Actually they seem more useful for CSRF instead. 2. How is the tainting problem simplified by focusing on write only? 3. How is tagging the credential as write-only help with the secure deployment of a site-wide CSP policy? 4. Why are sites that echo passwords in password fields shooting themselves in the foot? Also, since it seems I didn't explain myself correctly with what I meant with Channel ID, I'll explain it differently. Imagine if the password manager, instead of just syncing passwords around also moved an httpOnly cookie. And whenever it detects the password going by it appends the httpOnly cookie. If the server detects such cookie in the request it concatenates it after the password and uses that as the auth credential. On the server, this only requires a one line change (adding he cookie at the end if present), on the client the APIs already exist. Same can be done with Channel ID with the further advantage that the OBC can't be copied. The advantage of the cookie approach is that it can be morphed and generated more easily. Also, as a point of reference we've redone authentication many more times in a lot less time with a lot less resources than deployed CSP across all of Google. So yes, it's easier.
Received on Thursday, 16 October 2014 08:36:41 UTC