Boris Zbarsky wrote: > Alexander Mueller wrote: >> However HTTPS does not prevent that the Administrator of the >> destination server is acquiring the actual plain text data. > > So the .value of this input would already be hashed? Otherwise, this > argument fails: the page can just grab the value and do whatever it > wants with it.
Could be nice to do that, so there would be no way from javascript to get the original value the user has typed. But if you do not consider the content of your page as trusted, that means the attaquer can just as well replace the 'hash' input field with a normal 'password' input field, get it's value, and hash it before it's sent to the server, making the change completely transparent to the user. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
