[whatwg] <input type="password">... restrict reading value from JS?

Michal Zalewski lcamtuf at coredump.cx
Sun Jul 10 12:17:39 PDT 2011

> How about deleting the value if the input type is changed away from the
> secure password input type AND that the secure password can only be
> submitted to a similar URI.

Right now, for interoperability, password managers allow a good amount
of fuzziness when matching forms, and I do not believe they pay a lot
of attention to form method, allow the URL and fields to change
slightly, etc. So it's hard to tell an XSS-injected password form from
the real deal.

Instead of a complicated technical solution, some browsers require a
distinctive user gesture before autocompleting login forms. But then,
other vendors believe that this is unacceptable from usability


More information about the whatwg mailing list