[4ggr0]

> everything they typed (even if it was cleared and never sent in a request)

Okay, wow, that sounds rough...so in a way, phishing attacks don't even require you to login anymore, just typing the password or maybe 75% of it is enough to get you.

[Mavvie]

That's not new, is it? You could always have an onchange/oninput handler on the login fields and send it to your server.

[uoaei]

Back when Facebook made their huge update to convert to a one-page-app, it was pretty obvious they were doing this because on tenuous connections the interactions with the text would be very strange, as if they are caching your text and operating on it server-side using commands sent from client-side.

[jfrunyon]

Uhh... yeah, just typing the password (or letting your password manager autofill when you get cache poisoned or whatever) has always been enough to get you. onkeydown has existed longer than phishing.