>His suggested fix will break work for sites that use AJAX on the login forms.
I forgot about AJAX, I was wrong.
>It is however an interesting vector as it will steal the password without any user interaction or knowledge.
I am trying to say it here.