[owasp-intrinsic-security] Fwd: Saved Passwords and Clickjacking
giorgio.maone at gmail.com
Thu Oct 30 12:30:05 EDT 2008
---------- Forwarded message ----------
From: Giorgio Maone <giorgio.maone at gmail.com>
Date: Thu, Oct 30, 2008 at 5:29 PM
Subject: Re: [owasp-intrinsic-security] Saved Passwords and Clickjacking
To: Bil Corry <bil at corry.biz>
The best solution IMHO is replacing auto-fill with a chrome-level UI element
to both fill and submit the form in a single gesture, like Opera's Wand
On Thu, Oct 30, 2008 at 4:56 PM, Bil Corry <bil at corry.biz> wrote:
> Arshan Dabirsiaghi wrote on 10/30/2008 9:08 AM:
> > I have not heard much on prevention of this type of danger except in the
> form of "don't let FF save your passwords!!"
> >From the website's perspective, not allowing the browser to save the
> username and password is an option. I've see some sites that do allow the
> user to opt-in to have the site remember their username, so it will
> pre-populate the username, and the user still has to enter their password.
> > I would guess a simple protection might be to not pre-populate form
> fields in an <iframe>. For further insurance of not breaking existing apps,
> you could say the browser can pre-populate if the <iframe> is from the same
> I think that is the cleanest solution, you'll have to let us know what
> other ideas come out of the EU Summit.
> - Bil
> owasp-intrinsic-security mailing list
> owasp-intrinsic-security at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the owasp-intrinsic-security