W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2014

Re: [whatwg] Proposal: Write-only submittable form-associated controls.

From: Eduardo' Vela\ <evn@google.com>
Date: Thu, 16 Oct 2014 10:36:16 +0200
Message-ID: <CAFswPa-jR1_Vz2JrNTnD=E9Tar5CH10PQW_-c0gbB=_7wiHBOg@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: WHAT Working Group Mailing List <whatwg@whatwg.org>
1. How are keyup/down/press restrictions useful for password protection?
Actually they seem more useful for CSRF instead.
2. How is the tainting problem simplified by focusing on write only?
3. How is tagging the credential as write-only help with the secure
deployment of a site-wide CSP policy?
4. Why are sites that echo passwords in password fields shooting themselves
in the foot?

Also, since it seems I didn't explain myself correctly with what I meant
with Channel ID, I'll explain it differently.

Imagine if the password manager, instead of just syncing passwords around
also moved an httpOnly cookie. And whenever it detects the password going
by it appends the httpOnly cookie.

If the server detects such cookie in the request it concatenates it after
the password and uses that as the auth credential.

On the server, this only requires a one line change (adding he cookie at
the end if present), on the client the APIs already exist.

Same can be done with Channel ID with the further advantage that the OBC
can't be copied. The advantage of the cookie approach is that it can be
morphed and generated more easily.

Also, as a point of reference we've redone authentication many more times
in a lot less time with a lot less resources than deployed CSP across all
of Google. So yes, it's easier.
Received on Thursday, 16 October 2014 08:36:41 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:24 UTC