[whatwg] <input type="password">... restrict reading value from JS?
dennis at efjot.de
Sun Jul 10 07:03:30 PDT 2011
How about deleting the value if the input type is changed away from the
secure password input type AND that the secure password can only be
submitted to a similar URI.
Am 10.07.2011, 12:44 Uhr, schrieb Alex Vincent <ajvincent at gmail.com>:
> On Sun, Jul 10, 2011 at 3:21 AM, Michal Zalewski
> <lcamtuf at coredump.cx>wrote:
>> > For the last 10+ years, password inputs have been accessible from
>> > with nary a complaint. If I have this code:
>> Unfortunately, the problem is not that easy to fix: denying access to
>> the field does not prevent the attacker from changing the form
>> submission URL after autocompletion to achieve the same...
> Or even simpler, changing the type attribute to something like "hidden"
> an instant.
> I hate it when I don't think things through.
Erstellt mit Operas revolutionärem E-Mail-Modul: http://www.opera.com/mail/
More information about the whatwg