[travisgriggs]

They cynical side of me notes what a great phish this could be. People are inclined to enter passwords they regularly use just to see the visualization of their favorite passwords. With a little logging -> send home, you'd be harvesting passwords left and right.

[grp000]

Would the type of people amused by this have that weakness though?

[hbn]

It's hosted on Github Pages which is just static file serving. And thanks to CORS restrictions I don't think you could phone home.

Unless there's a workaround I'm not thinking of.

[jamespwilliams]

GitHub pages are served with Access-Control-Allow-Origin: *, so the SOP doesn’t apply.

They also don’t set a CSP header, which opens up the opportunity to exfiltrate data by other means, e.g having the browser load an image on your.site/$password.jpg.

[hbn]

Ah right. Simple!

[Sohcahtoa82]

The CORS policy is set by the server receiving the request, not the page/server sending it.

[heartbeats]

Can't you embed off-site images?

[thebruce87m]

Well damn, I’ll have to change Hunter2 everywhere now.

[peanut_worm]

is a password very useful without any other identifier though?