- From: Matthew Raymond <mattraymond@earthlink.net>
- Date: Mon, 04 Dec 2006 20:39:13 -0500
- To: Robert Chapin <w3-list@info-svc.com>
- CC: www-style@w3.org
Robert Chapin wrote: > But it's not just "an input" if the phisher can modify its behavior through > CSS. This is especially dangerous when 'type=password' has been > blacklisted. It may not be a good policy, but it works, and CSS3 will break > it. I think I understand what you're getting at. You think that people will mistake a regular <input type="text"> styled with "display: password" for an <input type="password">. There are two problems with this line of thinking. First, you give people too much credit. I was watching Heroes a few days ago, and in the episode someone entered a series of passwords where the letters were plainly visible. Don't assume that people will even notice that the characters aren't masked. We're talking about people who think the blue "e" is the Internet. Second, I don't see how CSS can be injected into most sites. You could claim that someone could use the |style| attribute to add styling, but it would be easy to just drop all |style| elements. It would also be fairly simple to filter out "display: password". Since you're indicating that the webmaster is already filtering out <input type="password">, <input style="display: password"> shouldn't be that much harder. I don't understand what this has to do with passwords being automatically filled by the browser, though. Clearly, the browser decides what element to insert the password into based on markup, not styling.
Received on Tuesday, 5 December 2006 01:39:39 UTC