[owasp-intrinsic-security] Saved Passwords and Clickjacking
bil at corry.biz
Thu Oct 30 11:56:49 EDT 2008
Arshan Dabirsiaghi wrote on 10/30/2008 9:08 AM:
> I have not heard much on prevention of this type of danger except in the form of "don't let FF save your passwords!!"
>From the website's perspective, not allowing the browser to save the username and password is an option. I've see some sites that do allow the user to opt-in to have the site remember their username, so it will pre-populate the username, and the user still has to enter their password.
> I would guess a simple protection might be to not pre-populate form fields in an <iframe>. For further insurance of not breaking existing apps, you could say the browser can pre-populate if the <iframe> is from the same domain.
I think that is the cleanest solution, you'll have to let us know what other ideas come out of the EU Summit.
More information about the owasp-intrinsic-security