Review Request: New Kwallet scheme for Khtml user-password form saving (enabling multiple accounts per site)

[todd rme]

On Thu, Aug 12, 2010 at 12:34 AM, Michael Leupold <lemma at confuego.org> wrote:
> Oswald Buddenhagen wrote:
>> On Tue, Aug 10, 2010 at 04:03:44PM +0200, Martin Sandsmark wrote:
>>> On Tue, Aug 10, 2010 at 08:48:03AM +0200, Oswald Buddenhagen wrote:
>>> > otoh, konqueror's current behavior is a royal PITA to use.  there
>>> > should be some hierarchical treatment of urls with automatic
>>> > propagation of completion data to deeper nested directories (and a
>>> > manual way to propagate up).
>>>
>>> It's not given that they belong to the same page, though. So it will
>>> become a potential security hole, no?
>>>
>> i've yet to see a password secured site which lives in a subdirectory of
>> another password secured site and is not in the same administrative
>> domain ...
>
> Nowadays they are probably more of a corner case, but they still exist. Just
> think about university networks or smaller providers which let you log on on
> the frontpage and provide ~user subdirectories which are managed by the
> individuals owning the account.
>
> Apart from that there are other cases where you could have 2 different
> security providers on one domain which are managed by the same
> administrators, so no security problems but usability ones. Think about
> content management systems which have separate accounts for frontend and
> backend login.
>
> While I agree that this is probably not that common those cases should weigh
> in heavier regarding security. This doesn't mean we couldn't have a way for
> the user to explicitly configure it to ignore those issues.
>
> Regards,
> Michael
>
>

Was a decision every made regarding this?  I don't seem to see this
implemented in KDE 4.7 rc1, although I might have missed it somehow.

-Todd