cl 2637 for issue 509 removed input type=password from the whitelist.
I'm writing this out mainly for reference.
arguments for input type=password
* a gadget might want a password entry.
without input type=password, the gadget
would have to use type=text, and maybe
simulate the password entry behavior.
* most of the security concerns with type=password
are also problems with type=text, so if type=text
is an acceptable risk, type=password is probably also ok.
arguments against input type=password
* vulnerable to autocompletion exploits. see issue 527.
autocompletion also affects type=text, but it's arguable
that type=text is less likely to be sensitive data, and
type=password should have stronger protection.
that argument doesn't seem very compelling, since
caja could enforce autocomplete=off.
* perhaps gadgets should be discouraged from having any
password inputs, because it desensitizes users to phishing.
that argument doesn't seem very compelling, because a
gadget author who blindly uses type=password could just
blindly replace it with type=text.
anything else?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to
http://groups.google.com/group/google-caja-discuss
To unsubscribe, email [EMAIL PROTECTED]
-~----------~----~----~----~------~----~------~--~---
