About secure password handling…
Chromium 1.0 failed many tests meant to evaluate the security of inbuilt password management features.
Those tests by Chapin Information Services are not available anymore but there is still a description on newsgropus.
Though not unlikely, it is unclear whenever Chromium improved its implementation.
Will the the following scenarios be tested on Dragon and the tests publicly released (like CLT)?
http://www.p2pnet.net/images/chapx.gif
Image from http://www.p2pnet.net/story/17871
Action Authority Checked on Retrieval
To pass this test, the PM must never deliver a password to a domain other than the
one to which the password was delivered when it was saved. For example, if a password
is saved on a self-referring form, and then automatically filled in another form that
points to a different website, then the PM has failed this test.
Action Authority Checked on Save
To pass this test, the PM must never overwrite the destination domain name of a
password without explicit user interaction. For example, if a password is first saved
on a self-referring form, and then re-saved on a form that points to a different
website, and the PM prevents the password from being filled on the original form,
then the PM has failed this test. Note the implicit requirement that a PM must
distinguish authorities on retrieval.
Action Authority Raises Warnings
To pass this test, the PM must warn the user if the action authority does not match
the page authority. For example, if a login form at www.info-svc.com:80 points to
google.com or to www.info-svc.com:81, and the PM allows a user to save or submit a
password using this form without notice, then the PM has failed this test.
Action Path Checked on Retrieval
To pass this test, the PM must never deliver a password to a path other than the one
to which the password was delivered when it was saved. For example, if a password is
saved on a self-referring form, and then automatically filled in another form that
points to a different parent directory, then the PM has failed this test.
Action Path Checked on Save
To pass this test, the PM must never overwrite the destination path of a password
without explicit user interaction. For example, if a password is first saved on a
self-referring form, and then re-saved on a form that points to a parent directory,
and the PM prevents the password from being filled on the original form, then the PM
has failed this test. Note the implicit requirement that a PM must distinguish paths
on retrieval.
Action Scheme Checked on Retrieval
To pass this test, the PM must never deliver a password using a protocol other than
the one by which the password was delivered when it was saved. For example, if a
password is saved on a self-referring web page, and then automatically filled in
another form that uses e-mail to deliver the password, then the PM has failed this test.
Action Scheme Checked on Save
To pass this test, the PM must never overwrite the destination scheme of a password
without explicit user interaction. For example, if a password is first saved on an
http: form, and then re-saved on a form that uses https: or mailto: and the PM
prevents the password from being filled on the original form, then the PM has failed
this test. Note the implicit requirement that a PM must distinguish schemes on retrieval.
Action Scheme Raises Warnings
To pass this test, the PM must warn the user if the action scheme is potentially
unsafe or does not match the page scheme. For example, if a login form uses an e-mail
application that will display the password on screen, and the PM allows the user to
save or submit a password using this form without notice, then the PM has failed this
test.
Action Scheme Prevented if Unsafe
To pass this test, the PM must successfully abort a password delivery if requested by
the user.
Autocomplete=Off Prevents Form Fills
To pass this test, the PM must never deliver a password when the autocomplete
attribute is present and set to “off”.
Invisiblility Prevents Form Fills
To pass this test, the PM must never deliver a password using a form that is not
visible. For example, if a login form is present on a web page but has its display
property set to none, and the PM automatically fills the form allowing the password
to be transmitted despite being invisible, then the PM has failed this test.
Method Checked on Retrieval
To pass this test, the PM must never deliver a password using an HTTP method other
than the one by which the password was delivered when it was saved. For example, if a
password is saved on a form that uses POST, and then automatically filled in another
form that uses GET to deliver the password, then the PM has failed this test.
Method Raises Warnings
To pass this test, the PM must warn the user if the password submission method is
potentially unsafe. For example, if a login form uses GET, which causes the password
to be added to the address bar, and the PM allows the user to save or submit a
password using this form without notice, then the PM has failed this test.
Multiple Paths per User per Authority
To pass this test, the PM must allow a user to save different passwords in different
paths of a single domain using the same user name. Note the implicit requirement that
a PM must distinguish paths in both the action URI and page URI.
Multiple Ports per User per Authority
To pass this test, the PM must allow a user to save different passwords using
different ports on a single domain using the same user name. Note the implicit
requirement that a PM must distinguish ports in both the action URI and page URI.
Multiple Schemes per User per Authority
To pass this test, the PM must allow a user to save different passwords using
different schemes on a single domain using the same user name. Note the implicit
requirement that a PM must distinguish schemes in both the action URI and page URI.
Page Path Checked on Retrieval
To pass this test, the PM must never deliver a password to a path other than the one
at which the password was requested when it was saved. For example, if a password is
saved on a self-referring form, and then automatically filled in another form that
points to the same path but is located in the parent directory, then the PM has
failed this test.
Random Name Attribute Prevents Form Fills
To pass this test, the PM must never fill a password in a form field whose name
attribute does not match the name of the field that was used to save the password.
User Required for Password Retrieval
To pass this test, the PM must never fill a password without explicit user interaction.
User Required for Password Save
To pass this test, the PM must never save or overwrite a password without explicit
user interaction. For example, if a password is saved with a username, and then the
same form is re-submitted with the same username and a different password, and the PM
then fills the new password into forms instead of the original password, then the PM
has failed this test.
Valid URIs Don’t Break Anything
To pass this test, the PM must never submit a password to the wrong URI or fail to
submit a password to a valid URI as a result of erroneous action attribute parsing.
For example, if the action attribute value is “mailto:localpart[at]www.info-svc.com” and
the PM delivers a password to “http://www.info-svc.com/mailto:localpart[at]www.info-svc.com”
then the PM has failed this test.
"