[jsutton]

The vast majority of people don't have the same threat model, and unfortunately just want the product to work, or they won't use it at all. If you can't provide relevant information for the current website, you just won't be able to succeed as a password manager outside of niche markets.

[reilly3000]

Yes, but that's the essence of the whole problem: there are ways to spoof what the current website is, causing your context-aware password manager to spit out data it shouldn't. Diabling autofill pretty much eliminates the whole vector though, without breaking UX that hard.

[dsissitka]

> there are ways to spoof what the current website is, causing your context-aware password manager to spit out data it shouldn't.

Can you give an example?

[zarify]

There was this example from 2017. https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-u...

I seem to remember reading about similar stuff done elsewhere, but don't remember the details (or apparently a useful search term :P).

[kerng]

Isn't the XSS example highlighted here a good example?