One thing you might be able to do is, before filling out the form, navigate to an intermediary page that contains a <noscript> type of block, and to check whether JS is actually enabled on the page. I am not sure server side code can accurately determine if JS is enabled and so you'll have to do that client-side on an intermediary page of some sort through HTML and JS before actually submitting the form.
That being said, yes, the password nonetheless would still be visible and accessible in the HTML source. It would be better if you could submit credentials to the app server-side via a special URL that without exposing the credentials to the client, have the app establish a session and set cookies etc, ,and you'd then retrieve those and pass them onto the browser, proceeding with the normal flow. This effectively is how Outlook Web Access normally is CASified. Of course, not sure if this at all is possible with the app you're dealing with. Misagh From: Scott Massari [mailto:[email protected]] Sent: Wednesday, July 17, 2013 10:34 AM To: [email protected] Subject: [cas-user] ClearPass & Form Fill - password obfuscation We have successfully implemented Clearpass with our CAS 3.5.2 implementation and utilized it with Groupwise Webaccess by writing a custom java servlet to complete the form fill. However, we have found that if a client browser has javascript disabled the username and clear-text password will be viewable through the "view source" option in browsers. I would venture this to be a common outcome and concern with ClearPass and wondered if anyone on the list has achieved a solution to this potential security issue. Any thoughts would be appreciated. Thanks, Scott -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
