User:Mconnor/Past/PasswordManagerSecurity

From MozillaWiki
Jump to: navigation, search

It has been suggested that we use action URLs to help better filter against password stealing. That said, there are considerations in terms of usability and web compatibility that may have the effect of pushing users to less secure versions instead of jumping through the hoops. I think the below chart gives a good idea of how I think we should treat the varying cases.

Action URL domain First visit After action URL change Rationale
None (javascript changes onsubmit) Allow save Allow use If the site is modifying action URLs or other things by JS, action URLs are irrelevant since the site can use script to bypass any filtering
Same domain Allow save Allow use If you're submitting to the exact domain you're on, odds are they control enough to get your password anyway
Same TLD (trunk) Allow save Allow use Same argument as the same domain, roughly. They can already use domain cookies to leak your sessions to the other domain anyway, so we're not changing much here
Different TLD (trunk) Warn, but allow save Warn, provide enough details for users to decide whether to autofill Clearly a rare case, and likely risky. Legit sites can easily ensure no one gets the warning.
Different domain (1.8) Save, and retain the host info (i.e. if foo.com submits to bar.com, save bar.com) Autofill if the host matches, otherwise fail silently Hopefully the lack of autofill is a tipoff. If the user has already submitted their user/pass to a phisher, we might as well save it...