Closed
Description
If a malicious party is able to inject script into an origin, they could (among many other things you wouldn’t like) overwrite the behavior of store() to steal a user’s credentials as they’re written into the credential store.
I propose the following changes.
User agents *MAY*/*MUST* prevent overriding following methods.
- navigator.credentials.store
- navigator.credentials.get
This is doable, just like the non overridable location.origin
. Ignoring this feature imposes users to the leak of personal credentials due to poor security implementations.
I also want to point out strongly that we at least say user agents MAY implement this feature.
Metadata
Metadata
Assignees
Labels
No labels