Re: [Proposal] New Guideline 6 checkpoints (APIs, Infoset, DOM)

"Jon Gunderson" <jongund@uiuc.edu>
> I think that developers will not want to leave a hole open for
programmatic
> access to secure information.  They can provide a secure API, but I
don't
> think this will work unless we have a spec available to show them now.
I
> don't think it is part of the current DOM requirements, but if it is
then I
> with draw my suggestion.  I don't think we should require more
information
> be provided through the API than what the user would get through the
> standard user interface.   You can always do more.

The value of the password element is already exposed in DOM 0 (and
later), the asterixing is purely visual, it's often also misleading to
user/developers that it is in some way more secure than other form
elements, when it is not.  I think it would be more useful to expose the
value rather than the asterix's or blobs that are used now - it doesn't
introduce any new security holes, and the information is not secure.

For genuine secure information, that may be different, but do we have
any?

Jim.

Received on Tuesday, 21 May 2002 10:56:59 UTC