JS can't actually call the password manager directly, and a script can
only read form data on pages loaded from the same host as the script. So
the only scripts that can read your password from a form are coming from
the site you were about to submit your password to anyway.
-Mitch
Joseph N. wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> If Password Manager (M 0.9.2) is set to ask for the master p/w only
> the first time it is needed, what is the vulnerability of the program
> to a Javascript seeking either passwords or form/personal
> information? This question relates to both (a) the ability of a JS
> to unearth the information without the user's having to enter
> anything on a form, and (b) the ability of the script to monitor the
> information that Mozilla is filling in on a form.
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
>
> iQA/AwUBO1+cFeH2IGJNcAawEQKfiwCePTCuuEccZjgUxn2LojQIOF/WTtIAoK7u
> EoR3H8G3zuhA43uikPB+P4GK
> =fboi
> -----END PGP SIGNATURE-----
>
