[whatwg] <input type="password">... restrict reading value from JS?
Alex Vincent
ajvincent at gmail.com
Sun Jul 10 03:44:53 PDT 2011
On Sun, Jul 10, 2011 at 3:21 AM, Michal Zalewski <lcamtuf at coredump.cx>wrote:
> > For the last 10+ years, password inputs have been accessible from
> scripts,
> > with nary a complaint. If I have this code:
>
> Unfortunately, the problem is not that easy to fix: denying access to
> the field does not prevent the attacker from changing the form
> submission URL after autocompletion to achieve the same...
Or even simpler, changing the type attribute to something like "hidden" for
an instant.
I hate it when I don't think things through.
--
"The first step in confirming there is a bug in someone else's work is
confirming there are no bugs in your own."
-- Alexander J. Vincent, June 30, 2001
More information about the whatwg
mailing list