Hacker News new | past | comments | ask | show | jobs | submit login

michaelmior is completely right.

You don't need xss on login page. You can have xss on any page and open an iframe/window with login and then steal via same origin




Ok, fair point, but even so - it's still not as much of a concern as other XSS and auto-complete vulnerabilities.


XSS is ok. CSRF is ok. Losing my real password is the worst thing to happen




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: