2. 19.12.2008 Chapin Information Services
Action Authority Raises Warnings FAILED FAILED FAILED FAILED FAILED
Action Path Checked on Retrieval FAILED FAILED FAILED FAILED FAILED
Action Path Checked on Save FAILED FAILED FAILED FAILED FAILED
Action Scheme Checked on Retrieval PASSED PASSED FAILED FAILED FAILED
Action Scheme Checked on Save FAILED PASSED FAILED FAILED FAILED
Action Scheme Raises Warnings FAILED FAILED FAILED FAILED FAILED
Action Scheme Prevented if Unsafe FAILED FAILED FAILED FAILED FAILED
Autocomplete=Off Prevents Form Fills FAILED ? FAILED FAILED PASSED
Invisiblility Prevents Form Fills PASSED FAILED PASSED PASSED FAILED
Method Checked on Retrieval FAILED FAILED FAILED FAILED PASSED
Method Raises Warnings FAILED FAILED FAILED FAILED FAILED
Multiple Paths Per User Per Authority FAILED FAILED FAILED FAILED FAILED
Multiple Ports Per User Per Host FAILED PASSED FAILED FAILED FAILED
Multi. Schemes Per User Per Authority FAILED PASSED FAILED FAILED FAILED
Page Path Checked on Retrieval PASSED FAILED PASSED FAILED FAILED
Random Name Attr. Prevents Form Fills PASSED FAILED FAILED FAILED FAILED
User Required for PW Retrieval PASSED FAILED PASSED FAILED FAILED
User Required for PW Save FAILED FAILED PASSED PASSED FAILED
Valid URIs Don't Break Anything PASSED PASSED PASSED FAILED FAILED
Totals 7 7 5 2 2
* Google Chrome is the only PM that strictly adheres to the criteria for
autocomplete by disabling itself. Firefox 3.0.4 will avoid filling a password when
the page loads, but the PM remains attached to password fields for filling
passwords.
Test Descriptions
Action Authority Checked on Retrieval
To pass this test, the PM must never deliver a password to a domain other than the one to which the password was
delivered when it was saved. For example, if a password is saved on a self-referring form, and then automatically
filled in another form that points to a different website, then the PM has failed this test.
Action Authority Checked on Save
To pass this test, the PM must never overwrite the destination domain name of a password without explicit user
interaction. For example, if a password is first saved on a self-referring form, and then re-saved on a form that
points to a different website, and the PM prevents the password from being filled on the original form, then the PM
has failed this test. Note the implicit requirement that a PM must distinguish authorities on retrieval.
Action Authority Raises Warnings
To pass this test, the PM must warn the user if the action authority does not match the page authority. For example,
if a login form at www.info-svc.com:80 points to google.com or to www.info-svc.com:81, and the PM allows a user
to save or submit a password using this form without notice, then the PM has failed this test.
Action Path Checked on Retrieval
To pass this test, the PM must never deliver a password to a path other than the one to which the password was
delivered when it was saved. For example, if a password is saved on a self-referring form, and then automatically
filled in another form that points to a different parent directory, then the PM has failed this test.
Action Path Checked on Save
To pass this test, the PM must never overwrite the destination path of a password without explicit user interaction.
For example, if a password is first saved on a self-referring form, and then re-saved on a form that points to a parent
directory, and the PM prevents the password from being filled on the original form, then the PM has failed this test.
Note the implicit requirement that a PM must distinguish paths on retrieval.
www.info-svc.com/news/2008/12-12/ 2/4
3. 19.12.2008 Chapin Information Services
Note the implicit requirement that a PM must distinguish paths on retrieval.
Action Scheme Checked on Retrieval
To pass this test, the PM must never deliver a password using a protocol other than the one by which the password
was delivered when it was saved. For example, if a password is saved on a self-referring web page, and then
automatically filled in another form that uses e-mail to deliver the password, then the PM has failed this test.
Action Scheme Checked on Save
To pass this test, the PM must never overwrite the destination scheme of a password without explicit user
interaction. For example, if a password is first saved on an http: form, and then re-saved on a form that uses https:
or mailto: and the PM prevents the password from being filled on the original form, then the PM has failed this test.
Note the implicit requirement that a PM must distinguish schemes on retrieval.
Action Scheme Raises Warnings
To pass this test, the PM must warn the user if the action scheme is potentially unsafe or does not match the page
scheme. For example, if a login form uses an e-mail application that will display the password on screen, and the
PM allows the user to save or submit a password using this form without notice, then the PM has failed this test.
Action Scheme Prevented if Unsafe
To pass this test, the PM must successfully abort a password delivery if requested by the user.
Autocomplete=Off Prevents Form Fills
To pass this test, the PM must never deliver a password when the autocomplete attribute is present and set to quot;offquot;.
Invisiblility Prevents Form Fills
To pass this test, the PM must never deliver a password using a form that is not visible. For example, if a login form
is present on a web page but has its display property set to none, and the PM automatically fills the form allowing
the password to be transmitted despite being invisible, then the PM has failed this test.
Method Checked on Retrieval
To pass this test, the PM must never deliver a password using an HTTP method other than the one by which the
password was delivered when it was saved. For example, if a password is saved on a form that uses POST, and
then automatically filled in another form that uses GET to deliver the password, then the PM has failed this test.
Method Raises Warnings
To pass this test, the PM must warn the user if the password submission method is potentially unsafe. For example,
if a login form uses GET, which causes the password to be added to the address bar, and the PM allows the user to
save or submit a password using this form without notice, then the PM has failed this test.
Multiple Paths per User per Authority
To pass this test, the PM must allow a user to save different passwords in different paths of a single domain using the
same user name. Note the implicit requirement that a PM must distinguish paths in both the action URI and page
URI.
Multiple Ports per User per Authority
www.info-svc.com/news/2008/12-12/ 3/4
4. 19.12.2008 Chapin Information Services
To pass this test, the PM must allow a user to save different passwords using different ports on a single domain using
the same user name. Note the implicit requirement that a PM must distinguish ports in both the action URI and page
URI.
Multiple Schemes per User per Authority
To pass this test, the PM must allow a user to save different passwords using different schemes on a single domain
using the same user name. Note the implicit requirement that a PM must distinguish schemes in both the action URI
and page URI.
Page Path Checked on Retrieval
To pass this test, the PM must never deliver a password to a path other than the one at which the password was
requested when it was saved. For example, if a password is saved on a self-referring form, and then automatically
filled in another form that points to the same path but is located in the parent directory, then the PM has failed this
test.
Random Name Attribute Prevents Form Fills
To pass this test, the PM must never fill a password in a form field whose name attribute does not match the name of
the field that was used to save the password.
User Required for Password Retrieval
To pass this test, the PM must never fill a password without explicit user interaction.
User Required for Password Save
To pass this test, the PM must never save or overwrite a password without explicit user interaction. For example, if
a password is saved with a username, and then the same form is re-submitted with the same username and a
different password, and the PM then fills the new password into forms instead of the original password, then the PM
has failed this test.
Valid URIs Don't Break Anything
To pass this test, the PM must never submit a password to the wrong URI or fail to submit a password to a valid
URI as a result of erroneous action attribute parsing. For example, if the action attribute value is
quot;mailto:localpart@www.info-svc.comquot; and the PM delivers a password to quot;http://www.info-
svc.com/mailto:localpart@www.info-svc.comquot; then the PM has failed this test.
www.info-svc.com/news/2008/12-12/ 4/4