[owasp-intrinsic-security] Fwd: Saved Passwords and Clickjacking

Giorgio Maone giorgio.maone at gmail.com
Thu Oct 30 12:30:05 EDT 2008


---------- Forwarded message ----------
From: Giorgio Maone <giorgio.maone at gmail.com>
Date: Thu, Oct 30, 2008 at 5:29 PM
Subject: Re: [owasp-intrinsic-security] Saved Passwords and Clickjacking
To: Bil Corry <bil at corry.biz>


The best solution IMHO is replacing auto-fill with a chrome-level UI element
to both fill and submit the form in a single gesture, like Opera's Wand
(ctrl+Enter) button.


On Thu, Oct 30, 2008 at 4:56 PM, Bil Corry <bil at corry.biz> wrote:

> Arshan Dabirsiaghi wrote on 10/30/2008 9:08 AM:
> > I have not heard much on prevention of this type of danger except in the
> form of "don't let FF save your passwords!!"
>
> >From the website's perspective, not allowing the browser to save the
> username and password is an option.  I've see some sites that do allow the
> user to opt-in to have the site remember their username, so it will
> pre-populate the username, and the user still has to enter their password.
>
>
> > I would guess a simple protection might be to not pre-populate form
> fields in an <iframe>. For further insurance of not breaking existing apps,
> you could say the browser can pre-populate if the <iframe> is from the same
> domain.
>
> I think that is the cleanest solution, you'll have to let us know what
> other ideas come out of the EU Summit.
>
>
> - Bil
>
>
> _______________________________________________
> owasp-intrinsic-security mailing list
> owasp-intrinsic-security at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-intrinsic-security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-intrinsic-security/attachments/20081030/bdfe2f4a/attachment.html 


More information about the owasp-intrinsic-security mailing list