[whatwg] <input type="password">... restrict reading value from JS?

Dennis Joachimsthaler dennis at efjot.de
Sun Jul 10 07:03:30 PDT 2011


How about deleting the value if the input type is changed away from the
secure password input type AND that the secure password can only be
submitted to a similar URI.

Am 10.07.2011, 12:44 Uhr, schrieb Alex Vincent <ajvincent at gmail.com>:

> On Sun, Jul 10, 2011 at 3:21 AM, Michal Zalewski  
> <lcamtuf at coredump.cx>wrote:
>
>> > For the last 10+ years, password inputs have been accessible from
>> scripts,
>> > with nary a complaint.  If I have this code:
>>
>> Unfortunately, the problem is not that easy to fix: denying access to
>> the field does not prevent the attacker from changing the form
>> submission URL after autocompletion to achieve the same...
>
>
> Or even simpler, changing the type attribute to something like "hidden"  
> for
> an instant.
>
> I hate it when I don't think things through.
>


-- 
Erstellt mit Operas revolutionärem E-Mail-Modul: http://www.opera.com/mail/



More information about the whatwg mailing list