- From: Robert Chapin <w3-list@info-svc.com>
- Date: Sat, 2 Dec 2006 10:00:36 -0500
- To: <www-style@w3.org>
If UAs interpret this property as a display feature for non-password inputs, then a phisher could create a quasi-password input under CSS3 that appears identical to a legitimate password input. On the other hand, if UAs interpret this property as an instruction to convert non-password inputs into trusted password inputs, then anyone with the ability to inject some CSS could potentially compromise the UA and its credential store. _____________ Robert Chapin Chapin Information Services, Inc. -----Original Message----- From: Bjoern Hoehrmann [mailto:derhoermi@gmx.net] Sent: Saturday, December 02, 2006 5:42 AM To: Robert Chapin Cc: www-style@w3.org Subject: Re: [CSS3UI] Concerned about Appearance:Password * Robert Chapin wrote: >In light of new attack vectors described at ... > >http://www.info-svc.com/news/11-21-2006/ > >.... it is highly unlikely that an Appearance:Password property would >be implemented in a safe way. I don't see the relationship between the two, could you elaborate? -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de 68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Saturday, 2 December 2006 15:05:56 UTC