[whatwg] <input type="password">... restrict reading value from JS?

Bjartur Thorlacius svartman95 at gmail.com
Mon Jul 11 10:11:22 PDT 2011


Þann sun 10.júl 2011 08:08, skrifaði Alex Vincent:
> /**
>   * Check if a password field's value matches another.
>   *
>   * @param otherPassword Another password element.
>   *
>   * @throws Error if this.type != "password"
>   * @throws Error if other.type != "password"
>   *
>   * @returns Boolean True if the fields match.
>   */
> boolean passwordEquals(in HTMLInputElement otherPassword);
>
I believe this to belong to CSS. User agents could either ask or require 
users to input error-prone and important fields twice, without 
submitting the same value twice. This could be the default rendering (in 
some UAs) for strong inputs (i.e. <input> descendants of <strong>). This 
has the potential benefit of allowing media-aware prefixes for locales 
where that makes sense (as in 'Retype Password' vs 'Confirm Password'). 
Note that the confirmation input in 
<http://www.whatwg.org/specs/web-apps/current-work/multipage/common-input-element-attributes.html#the-required-attribute> 
is optional.

<!DOCTYPE html>
<title>Register a FooBar account</title>
<form action=register method=POST>
<label>Username	<input name=user	required></label>
<strong><input type=password name=pass	required></strong>
</form>

> /**
>   * Check the strength of the password.
>   *
>   * @param type The type of check to execute.
>   *
>   * @returns 0 if dangerously low security
>   * @returns 1 if "soon-to-be-deprecated" low security
>   * @returns 2 if adequate security
>   * @returns 3 if good security
>   * @returns 4 if strong security
>   * @returns 5 if entropy-death-of-the-universe security :-)
>   */
> unsigned octet passwordStrength(in DOMString type);
>
I don't think this is a good idea. Can't user-agents warn about insecure 
passwords without the help of author-supplied scripts?



More information about the whatwg mailing list