- From: Jeffrey Yasskin <jyasskin@google.com>
- Date: Tue, 14 Apr 2015 08:21:59 -0700
- To: Manu Sporny <msporny@digitalbazaar.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Tuesday, 14 April 2015 15:22:51 UTC
On Mon, Apr 13, 2015 at 10:20 PM, Manu Sporny <msporny@digitalbazaar.com> wrote: > > > * Not having the ability to sync credentials between different > > browsers removes features that people depend on from today's > > managers (like LastPass) that allow you to do this. This makes the > > proposed solution worse than the current solution. > > Applications like LastPass use a server-side component to enable you to > sync credentials between different browser brands. I don't see anything > like this in the current spec. Worse, it looks like the current spec is > going to put companies like LastPass out of business (if the spec > doesn't allow them to inject navigator.credentials). > > Does the spec provide a suggestion on allowing browser extensions to > override navigator.credentials? If it does, are the security > ramifications of doing so detailed anywhere? If it doesn't, isn't it > making the state of the art worse by removing the ability to share > credentials across multiple browser brands? > Are you familiar with the way LastPass currently integrates with Chrome to act as a password manager? I believe the technique it currently uses will work at least as well when there's just one Javascript API through which all passwords pass. If you think it doesn't work, can you point out the exact place it breaks down? Jeffrey
Received on Tuesday, 14 April 2015 15:22:51 UTC