- From: Johnathan Nightingale <johnath@mozilla.com>
- Date: Mon, 26 Mar 2007 09:52:50 -0400
- To: Web Security Context WG <public-wsc-wg@w3.org>
For firefox, we only auto-fill form content for pages where: a) The scheme://hostname:port of the web page matches that which was used when the password was originally stored, AND b) The scheme://hostname:port of the form's ACTION URL matches that which was used when the password was originally stored. Naive approaches to password management may use only a) above. The problem here is that it can lead to a XSS-style attack where people would put malicious login forms on sites like myspace within the user- specified content. Since the page was presented by myspace, saved myspace credentials would be auto-filled, however on submit, the form would direct the data elsewhere. Cheers, J --- Johnathan Nightingale Human Shield johnath@mozilla.com On 26-Mar-07, at 9:31 AM, Web Security Context Issue Tracker wrote: > > > ISSUE-21: Reply to question - what do pword managers do to ensure > they don't "leak" pwords? > > http://www.w3.org/2006/WSC/Group/track/issues/21 > > Raised by: Mary Ellen Zurko > On product: Note: use cases etc. > > http://lists.w3.org/Archives/Public/public-usable- > authentication/2007Mar/0032.html > But in 8.4, what do the managers use to make sure they > don't give the credentials to a phisher? > > I do not know. Can someone in the WG please reply with an answer to > this part? > Should be easy for anyone with a clue. > > >
Received on Monday, 26 March 2007 13:53:06 UTC