Review Request: New Kwallet scheme for Khtml user-password form saving (enabling multiple accounts per site)
Oswald Buddenhagen
ossi at kde.org
Tue Aug 10 07:48:03 BST 2010
On Tue, Aug 10, 2010 at 03:48:23AM +0200, Martin Tobias Holmedahl Sandsmark wrote:
> On Thu, Aug 05, 2010 at 05:42:45PM -0000, Ingo Klöcker wrote:
> > > All account usernames on the site are stored as PASSWORD value in the FormData
> > > folder of Network KWallet with the key:
> > > accounts_SITE
> > > where SITE stands for host part of the URL.
> > I think this is a potential security problem. Let's say there are two
> > completely different websites hosted on the same host like
> > […]
> > Either I misunderstood what your patch does or your patch is IMHO unacceptable because of the above.
>
> Yes, that's a regression security-wise, as KHTML currently uses the full URL
> plus the form name.
>
otoh, konqueror's current behavior is a royal PITA to use.
there should be some hierarchical treatment of urls with automatic
propagation of completion data to deeper nested directories (and a
manual way to propagate up).
in addition (or at least alternatively) there should be a way to link
forms into a "cluster", so one doesn't have to re-enter the same
credentials into a hundred different pages when they are all connected
to the same authentication provider.
More information about the kde-core-devel
mailing list