change list for WebCore/JavaScriptCore version 60

[Dirk Mueller]

On Fre, 14 Feb 2003, Trey Matteson wrote:

> Wells Fargo chose to block access via Safari when they discovered that 
> the password and account name could be available via back/forward.  

Oh, boy, I feel soo sorry :-(
It seems you've been hit on a lot, thanks for keeping up the faith. 

(insert mumblings about common codebase here .. ;-) )

> save/restore any forms that are submitted via https that contain a 
> password field.  This matches WinIE (but not MacIE). 

How behaves Mozilla in this case?

is this why you added the DocumentImpl::secureFormAdded(), hasSecureForm() 
etc? That code appears totally unused inside khtml/

> The case this protects against is someone leaving their computer 
> momentarily, or leaving a session open at a public terminal, and having 
> someone go back to view the account. 

Thats doesn't make much sense though. if you keep the window open, you have 
the secure session cookie and the person can just _use_ the account instead of going 
back and trying to find out the data. So if this is a matter we should at 
least drop the session cookie when going back, because that one has at least 
a thousand times more potential for abuse. 

> Accounts are sometimes social 
> security numbers, which some people are sensitive about. 

Hmm. Oh well, before we get a bugtraq complaint about that, I guess we 
better don't store the data then either. Though I'd even like to make it 
configurable in this case, because I prefer being able to go back over 
fearing about somebody breaking into my house while the home banking 
window is open :)


-- 
Dirk (received 96 mails today)