- From: Robert Chapin <w3-list@info-svc.com>
- Date: Mon, 4 Dec 2006 03:59:35 -0500
- To: <www-style@w3.org>
But it's not just "an input" if the phisher can modify its behavior through CSS. This is especially dangerous when 'type=password' has been blacklisted. It may not be a good policy, but it works, and CSS3 will break it. _____________ Robert Chapin Chapin Information Services, Inc. -----Original Message----- From: www-style-request@w3.org [mailto:www-style-request@w3.org] On Behalf Of Patrick H. Lauke Sent: Saturday, December 02, 2006 6:07 PM To: www-style@w3.org Subject: Re: [CSS3UI] Concerned about Appearance:Password Robert Chapin wrote: > > If UAs interpret this property as a display feature for non-password > inputs, then a phisher could create a quasi-password input under CSS3 > that appears identical to a legitimate password input. But if a phisher can already generate an input and then route the form to one of their own sites to store the input, or lure an unsuspecting user to a page that's theirs in the first place, I don't see how using CSS would make it any easier for them than just creating an actual password input. Or am I missing something? P -- Patrick H. Lauke __________________________________________________________ re.dux (adj.): brought back; returned. used postpositively [latin : re-, re- + dux, leader; see duke.] www.splintered.co.uk | www.photographia.co.uk http://redux.deviantart.com __________________________________________________________ Web Standards Project (WaSP) Accessibility Task Force http://webstandards.org/ __________________________________________________________
Received on Monday, 4 December 2006 09:00:41 UTC