> Fair enough - although I worry that the likelihood of people using > this in conjunction with tightly-scoped per-document CSP (versus the > far more likely scenario of just having a minimal XSS-preventing > site-wide or app-wide policy that will definitely not mitigate #3 and > probably do nothing for #1) are pretty slim.
In fact, the XSS-preventing part is probably a stretch. Facebook and Twitter are often mentioned as the two most significant customers for CSP, but both use unsafe-inline and unsafe-eval. On top of that, note that #3 is not defeated by origin-scoped rules - you need to specify full paths. Honestly, if we're creating a mechanism that implies that a degree of protection is provided for password fields, we should either make it work on its own, *or* at the very minimum require a CSP with form-action specified, and otherwise warn or better yet, break fields flagged as writeonly. /mz