[whatwg] <input type="password">... restrict reading value from JS?
Tab Atkins Jr.
jackalmage at gmail.com
Mon Jul 11 11:12:07 PDT 2011
On Sun, Jul 10, 2011 at 3:44 AM, Alex Vincent <ajvincent at gmail.com> wrote:
> On Sun, Jul 10, 2011 at 3:21 AM, Michal Zalewski <lcamtuf at coredump.cx>wrote:
>> > For the last 10+ years, password inputs have been accessible from
>> > with nary a complaint. If I have this code:
>> Unfortunately, the problem is not that easy to fix: denying access to
>> the field does not prevent the attacker from changing the form
>> submission URL after autocompletion to achieve the same...
> Or even simpler, changing the type attribute to something like "hidden" for
> an instant.
> I hate it when I don't think things through.
To be fair, we already protect <input type=file> from vaguely similar
type-changing attacks. (You can't make an <input type=text>, fill it
with a filename as the value, then switch to type=file and submit it
to steal files from the user.)
However, as noted, doing this wouldn't help in any way. The script
can redirect the form submission, or just swap out the input entirely
for an <input type=text> that they manually intercept clicks on and
insert * for each keypress (or more deviously, set the font-family for
the text input to a font where every glyph is an asterisk, and then
just read out the value normally).
More information about the whatwg