On 12/8/10 5:04 AM, thorsten wrote:
What is a bit risky is: Can they hide the password entry or the form itself ?
Yes.
If they hack something together to hide it, can we detect this hack ?
Maybe. There are lots and lots of ways to hide things; detecting them all without hitting false positives would be a pretty tall order.
Is there another way to detect if a password has just been sent ?
What do you mean?
Is it possible to restrict keypress event listening to non- password entries only?
Not without breaking existing use cases (e.g. my FIOS modem's login page relies on a key listener on the password field, as far as I can tell; certainly the length of the text in the field changes by >1 for every keystroke I make).
-Boris _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
