[whatwg] <input type="password">... restrict reading value from JS?

Alex Vincent ajvincent at gmail.com
Sun Jul 10 03:44:53 PDT 2011


On Sun, Jul 10, 2011 at 3:21 AM, Michal Zalewski <lcamtuf at coredump.cx>wrote:

> > For the last 10+ years, password inputs have been accessible from
> scripts,
> > with nary a complaint.  If I have this code:
>
> Unfortunately, the problem is not that easy to fix: denying access to
> the field does not prevent the attacker from changing the form
> submission URL after autocompletion to achieve the same...


Or even simpler, changing the type attribute to something like "hidden" for
an instant.

I hate it when I don't think things through.

-- 
"The first step in confirming there is a bug in someone else's work is
confirming there are no bugs in your own."
-- Alexander J. Vincent, June 30, 2001



More information about the whatwg mailing list