[whatwg] <input type="password">... restrict reading value from JS?

Aryeh Gregor Simetrical+w3c at gmail.com
Sun Jul 10 13:38:30 PDT 2011

On Sun, Jul 10, 2011 at 4:08 AM, Alex Vincent <ajvincent at gmail.com> wrote:
> This is just an idea.
> For the last 10+ years, password inputs have been accessible from scripts,
> with nary a complaint.  If I have this code:
>  <form action="javascript:void">
>    <div>
>      <input type="password" id="pw">
>      <button onclick="alert(document.getElementById('pw').value)">Show
> password!</button>
>    </div>
>  </form>
> I can extract the password by clicking on the button.  More to the point,
> with a XHR I can send that password somewhere it shouldn't go... (well, with
> cross-domain security code, maybe not, but that's not the point.)

You can send it anyway by changing the action attribute on the form
and calling submit().  So what attack scenario are you actually
avoiding here?  You'd need a really strong security benefit for it to
be possible to even contemplate breaking so many websites.

More information about the whatwg mailing list