@mathias An epic debate! Knee-jerk reaction that dates back to when browsers handled autocomplete much more poorly. We'll likely re-enable.
-
-
Replying to @Hacker0x01
@Hacker0x01 And just like that, it’s gone! Thanks :)1 reply 0 retweets 0 likes -
Replying to @Hacker0x01
@Hacker0x01@mathias You should put it back, this is why: http://jsfiddle.net/PHLcU/2/show/1 reply 0 retweets 0 likes -
Replying to @avlidienbrunn
@avlidienbrunn That doesn’t apply here as@Hacker0x01 serves HTML with the `X-Frame-Options: DENY` header (and rightly so).1 reply 0 retweets 0 likes -
Replying to @mathias
@mathias@Hacker0x01 Doesn't help on same-domain: http://jsfiddle.net/avwUm/show/1 reply 0 retweets 1 like -
Replying to @avlidienbrunn
@avlidienbrunn But it does, unless you use `X-Frame-Options: SAMEORIGIN` or `ALLOW-FROM: …` which@Hacker0x01 doesn’t.1 reply 0 retweets 0 likes -
Replying to @mathias
@mathias@Hacker0x01 You don't have to frame it to access the content. See my second example. You can use window.open().2 replies 0 retweets 0 likes -
Replying to @avlidienbrunn
@avlidienbrunn You could abuse this if there’s XSS on the login page, but then you can log keystrokes anyway, autofill or not.@Hacker0x011 reply 0 retweets 0 likes -
Replying to @mathias
@mathias@Hacker0x01 The XSS can be anywhere on the domain. Still one-click owned, and that's pretty shitty tbh: http://jsfiddle.net/avwUm/6/show/2 replies 0 retweets 1 like
@avlidienbrunn Yeah, but you could do the same without autofill. Just read the password input’s value on submit. @Hacker0x01
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
JavaScript, HTML, CSS, HTTP, performance, security, Bash, Unicode, i18n, macOS.