[giancarlostoro]

I wonder about those kinds of exploits that sit on a webpage, but what stops someone from injecting their payload on a sites login page? JS can grab the password in plaintext in such a scenario, at which point the password manager does not save you. Can we normalize Passkey more?

[IgorPartola]

I think the point is that you can have arbitrary website read the browser’s memory so example.com can read the password for example.org and example.net.

[traderj0e]

Or the computer's memory via Meltdown and Spectre-like attacks

[anthk]

That's why I disable JS by default with UBlock Origin. And OFC never allow JS to acces your clipbaord.