|
|
|
|
|
|
by therealtbs
2750 days ago
|
|
|
I assume the password manager is supposed to prepend the host of the login form or whatever host is configured in the password manager. So if I save example.com in my password manager, it will access example.com/.well-known/change-password no matter which urls I later visit that might be on subdomains of that original page. If I already configured evil.example.com in my password manager, it's game over anyway before anything relevant to this spec even happens. |
|
|