Answer the question
In order to leave comments, you need to log in
Why do browsers allow scripts to access the password field?
It is now possible to define an onkeydown, onkeypress or onkeyup event for the password field, and also read the value directly ( .value
).
As a result, (almost) any browser extension can learn the password from any site.
Wouldn't it be easier from a browser architecture point of view to isolate everything related to authorization on sites? As an option - make a separate type of permission for extensions, for example, call it "access to passwords" (for all kinds of password managers). And other extensions, without this permission, should not have access to passwords.
Answer the question
In order to leave comments, you need to log in
Because, for example, you may need to send this data using js to the server without reloading the page. Or at least validate. A field of type password is the same field as text, it only protects against the fact that someone near the user sees what has been entered.
In order for this data to be safe, the browser takes various measures - it does not allow js to be executed from the address bar, it prevents script injections, it warns when you install add-ons that they will have access to your data, etc.
That is, in the usual version, no script will get to the page of any site, except for the one that will be placed there by those who make it. And in that case, it's safe.
As for the permission "access to passwords" - no one forbids making an application to all major browsers so that this is implemented. If it is actually in demand, it may well appear.
How do you find someone else's password? the browser will show you the actual value. It does not show you the value that the user enters on another computer
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question