Review Request: New Kwallet scheme for Khtml user-password form saving (enabling multiple accounts per site)

Michael Leupold lemma at
Wed Aug 11 23:34:37 BST 2010

Oswald Buddenhagen wrote:
> On Tue, Aug 10, 2010 at 04:03:44PM +0200, Martin Sandsmark wrote:
>> On Tue, Aug 10, 2010 at 08:48:03AM +0200, Oswald Buddenhagen wrote:
>> > otoh, konqueror's current behavior is a royal PITA to use.  there
>> > should be some hierarchical treatment of urls with automatic
>> > propagation of completion data to deeper nested directories (and a
>> > manual way to propagate up).
>> It's not given that they belong to the same page, though. So it will
>> become a potential security hole, no?
> i've yet to see a password secured site which lives in a subdirectory of
> another password secured site and is not in the same administrative
> domain ...

Nowadays they are probably more of a corner case, but they still exist. Just 
think about university networks or smaller providers which let you log on on 
the frontpage and provide ~user subdirectories which are managed by the 
individuals owning the account.

Apart from that there are other cases where you could have 2 different 
security providers on one domain which are managed by the same 
administrators, so no security problems but usability ones. Think about 
content management systems which have separate accounts for frontend and 
backend login.

While I agree that this is probably not that common those cases should weigh 
in heavier regarding security. This doesn't mean we couldn't have a way for 
the user to explicitly configure it to ignore those issues.


More information about the kde-core-devel mailing list