On 12/9/10 7:54 AM, thorsten wrote:
What is a bit risky is: Can they hide the password entry or the form
itself ?
Yes.
Heck...this is the only thing where I have no plan B. Can you please
tell me how you would hide a password entry from a tool scanning the
DOM ?
Oh, from a tool scanning the DOM you can't. But you can make it appear
in the DOM but be invisible to the user, which is what I thought you
were asking about.
I see now that you want to ask if there's a password entry field on the
page... but the page can just not use such an entry field at all and use
a regular textfiled instead, no?
At the moment I am looking for a password entry in the DOM tree (with
attributes matching the HTTP request). This way I detect "Password
sent". HTTP content is not relevant. Maybe you got a better idea how
to detect that a password is about to be sent.
Given FormData and XHR, isn't this basically the halting problem?
-Boris
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security