Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings
This repository was archived by the owner on Mar 4, 2020. It is now read-only.

Commit dc2e920

Browse filesBrowse files
mikewestmikewest
authored
Passwords.
1 parent 357c1df commit dc2e920
Copy full SHA for dc2e920

File tree

Expand file treeCollapse file tree

1 file changed

+6
-0
lines changed
Open diff view settings
Filter options
Expand file treeCollapse file tree

1 file changed

+6
-0
lines changed
Open diff view settings
Collapse file

‎README.md‎

Copy file name to clipboardExpand all lines: README.md
+6Lines changed: 6 additions & 0 deletions
  • Display the source diff
  • Display the rich diff
Original file line numberDiff line numberDiff line change
@@ -141,6 +141,12 @@ Still, this would be a more robust defense for users and developers. We're addin
141141
see what the impact of this kind of approach might look like if we take more things into account (HSTS with
142142
`includeSubdomains` and a sufficiently long lifetime obviates the needs for the `Secure` attribute, for example).
143143

144+
### Doesn't this make users type passwords more often? Isn't that bad?
145+
146+
That would be bad. We should actively discourage folks from typing passwords into non-secure pages. Browsers are
147+
moving on this already by labeling sites as "Not Secure" in various ways when they contain password forms. I
148+
expect that trend to continue.
149+
144150
## Open Questions
145151

146152
1. **All or nothing**? Is it better to treat a request's cookies as a monolithic set by deleting _all_ of

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.