javascripts访问密码字段值是否被视为安全风险? [英] Is javascripts access to a password fields value considered a security risk?
问题描述
如果安全和正确地存储密码是好的风格和安全性,那么对于要求用户输入密码的网页应该不一样吗?
If it is good style and security to store passwords securely and properly, then shouldn't the same be for web pages that require a user to enter a password?
考虑这个例子
<script>
function copy() {
var text = document.getElementsById('text');
var pass = document.getElementsById('pass');
text.value = pass.value;
}
</script>
<input type=text id=text>
<input type=password id=pass>
<button onclick="copy();">copy</button>
在密码框中键入内容并单击复制按钮,瞧,它暴露给世界。但是,如果您从密码框中复制并粘贴,那么您将获得无用的数据。
type something into the password box and click the copy button and voila, it is exposed to the world. However if you copy and paste from the password box then you will get useless data.
考虑登录页面中包含的不受控制的javascript部分数量由您(分析,页面流跟踪器,云中的托管脚本)。 Web浏览器是否有理由阻止这种对密码字段的编程访问,而是提供自己的密码验证API?
Consider the number of pieces of javascript that are included on your login page that are not controlled by you (analytics, pageflow trackers, hosted scripts in the cloud). Does it make sense for a web browser to prevent this sort of programmatic access to password fields and instead provide it's own password validation API?
推荐答案
此漏洞是[传统实施] 应用程序级别身份验证所固有的,因此必须通过网络收集和传输登录/密码对。 (并且网络浏览器不是唯一受此威胁威胁的地方)。
This vulnerability is intrinsic to the [traditional implementation of] application level authentication, whereby the login/password pair has to be collected and transmitted over the wire. (And the web browser is not the only place where this secret is threatened).
javascript主机级别和/或http级别的一些安全措施已到位为了防止某些你预见到的危险,但无论如何总是存在代码注入的风险...
A few safeguards at the level of the javascript hosts and/or of http are in place to prevent some of the danger you foresee, but anyway there's always the risk of code injection...
底线是如果有效的话需要安全性您可以考虑其他身份验证方法,例如操作系统集成安全性,其他形式的基于挑战的安全性,以及非基于密码的方法(例如:验证码 - 比如显示一系列照片的挑战,其中一些照片是经过身份验证的人预先学习的。)
The bottom line is that if effective security is required you may consider alternative authentication methods, such as OS integrated security, other forms of challenge-based security, and also non-password based approaches (eg: captcha-like challenges showing series of photos, some of which are pre-learned by the person being authenticated.)
这篇关于javascripts访问密码字段值是否被视为安全风险?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
