[whatwg] <input type="password">... restrict reading value from JS?

Aryeh Gregor Simetrical+w3c at gmail.com
Mon Jul 11 11:31:57 PDT 2011

On Mon, Jul 11, 2011 at 9:29 AM, Sean Connelly <sean at pbwhere.com> wrote:
> As a web developer, if I wanted access to the password, I would then avoid
> using the <input type="password"> field, and create my own field that reads
> characters (perhaps via onkeyup), and fakes a password field visually.

Then browsers wouldn't autofill it, which would defeat the nastiest
attack here (stealing passwords without user intervention).  But as
noted, you can always submit the form, so it really doesn't help that
much anyway.

More information about the whatwg mailing list