Security/Features/HighlightCleartextPasswords: Difference between revisions

Security/Features/HighlightCleartextPasswords (view source)

185 bytes added , 26 April 2012

no edit summary

canmove, Confirmed users

285

edits

@@ Line 40: / Line 40: @@
 # A user is asked to login to an https page.  The login form submit calls a javascript function.  Hence, the form post may or may not be over https depending on the javascript.
 #* '''Do nothing - This case may already be handled with a Security Warning alert box if the form posts over http.  See people.mozilla.com/~tvyas/https_post_http.png and people.mozilla.com/~tvyas/https_post_http_with_js.png'''
-|Feature requirements=When a webpage includes an input type=password field and the webpage does not offer a full ssl experience, indicate to the user that their unecrypted password may be accessible by eavesdroppers/attackers.  Note that websites with non-ssl display-only content are an exception.
+|Feature requirements=When a webpage includes an input type=password field and the webpage does not offer a full ssl experience, indicate to the user that their unencrypted password may be accessible by eavesdroppers/attackers.  Note that websites with non-ssl display-only content are an exception.
+The SHOULD NOT be able to overwrite the "highlighted" content.  (Example: if an insecure password field has an placeholder, our placeholder would overwrite the existing placeholder).
 |Feature non-goals=This item is only for type=password.  Other sensitive data is captured in this feature page:
 https://wiki.mozilla.org/Security/Features/Identify_which_bits_are_unencrypted