[whatwg] <input type="password">... restrict reading value from JS?

Michal Zalewski lcamtuf at coredump.cx
Sun Jul 10 03:21:03 PDT 2011

> For the last 10+ years, password inputs have been accessible from scripts,
> with nary a complaint.  If I have this code:

Denying access to password fields from JavaScript is actually a
somewhat interesting security enhancement when you consider the
behavior of password managers. Right now, if you exploit an XSS on
https://www.mybank.com, you can navigate the browser to the login
form, wait for the user name and password field to be autocompleted,
grab the data, and effectively turn your transient access into
long-lived credentials theft.

Unfortunately, the problem is not that easy to fix: denying access to
the field does not prevent the attacker from changing the form
submission URL after autocompletion to achieve the same; or even
simply changing method from POST to GET, setting target=foo, and
leveraging same-origin access to the post-submit page to read back the
password-containing URL.


More information about the whatwg mailing list