Hacker News new | comments | show | ask | jobs | submit login

I assume the password manager is supposed to prepend the host of the login form or whatever host is configured in the password manager.

So if I save example.com in my password manager, it will access example.com/.well-known/change-password no matter which urls I later visit that might be on subdomains of that original page.

If I already configured evil.example.com in my password manager, it's game over anyway before anything relevant to this spec even happens.






Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: