[whatwg] <input type="password">... restrict reading value from JS?
lcamtuf at coredump.cx
Sun Jul 10 12:17:39 PDT 2011
> How about deleting the value if the input type is changed away from the
> secure password input type AND that the secure password can only be
> submitted to a similar URI.
Right now, for interoperability, password managers allow a good amount
of fuzziness when matching forms, and I do not believe they pay a lot
of attention to form method, allow the URL and fields to change
slightly, etc. So it's hard to tell an XSS-injected password form from
the real deal.
Instead of a complicated technical solution, some browsers require a
distinctive user gesture before autocompleting login forms. But then,
other vendors believe that this is unacceptable from usability
More information about the whatwg