On Thu, Feb 2, 2012 at 10:43 PM, Charles Pritchard <ch...@jumis.com> wrote:
> ** > On 2/2/12 10:27 PM, Ryosuke Niwa wrote: > > On Thu, Feb 2, 2012 at 10:20 PM, Charles Pritchard <ch...@jumis.com>wrote: >> >> Seems like a very minor risk for high security sites, e.g. banking, in >> identifying form elements. >> In the spirit of giving it some thought: >> > > But even for those websites, what could input / textarea elements can > reveal more than what user sees? > > Many sites use <input hidden> elements with what are essentially image > maps for entering a PIN. > But any element with display:none will be removed so <input hidden> should be removed. It's becoming more common that top level domains are being restricted or > redirected to country codes. It seems plausible that domains may further be > restricted to HTTPS (SSL) signatures. Going further, sites may be > restricted to those which serve appropriate security headers against XSS > attacks. Disabling the "copy" mechanism for any portion of a site does risk > censorship. But, we are only examining high security portions of high > security sites, such as <input hidden> and <input type=password>. > input[type=password] is a good one. We should probably get rid of the value in that case? - Ryosuke