> How about deleting the value if the input type is changed away from the > secure password input type AND that the secure password can only be > submitted to a similar URI.
Right now, for interoperability, password managers allow a good amount of fuzziness when matching forms, and I do not believe they pay a lot of attention to form method, allow the URL and fields to change slightly, etc. So it's hard to tell an XSS-injected password form from the real deal. Instead of a complicated technical solution, some browsers require a distinctive user gesture before autocompleting login forms. But then, other vendors believe that this is unacceptable from usability perspective. /mz
