undefined | Better HN

0 pointstehlike9y ago0 comments

that's exactly my point. I am hoping/assuming chrome would notify the user about this as well.

0 comments

Why? IIRC cross-origin will prevent the http page from reaching into the https iframe and furthermore the password is being sent over https so google doesn't really care.

tehlikeOP9y ago

But since top lev is insecure, an attacker could inject a legit looking form whose destination is set to steal passwords.

joshstrange9y ago

I guess it depends on the attack this is supposed to stop. This change does prevent sniffing of passwords and protects them while in transit but no, it doesn't prevent MitM attacks. That said google plans on marking all HTTP pages as "Non-Secure" in the not-too-distant future which will help warn against the potential for MitM.

j / k navigate · click thread line to collapse

0 comments

joshstrange9y ago

Why? IIRC cross-origin will prevent the http page from reaching into the https iframe and furthermore the password is being sent over https so google doesn't really care.

tehlikeOP9y ago

But since top lev is insecure, an attacker could inject a legit looking form whose destination is set to steal passwords.

joshstrange9y ago

j / k navigate · click thread line to collapse