Does holding a user s password in a javascript variable in the browser expose any specific security vulnerabilities, over and above the usual security vulnerabilities of a browser-based client?
http://jsfiddle.net/jS55M/ http://jsfiddle.net/jS55M/
<label for="password">Password</label> <input type="password" id="password"/><br/><br/> <button type="button" id="pwdButton">Store password in window.password</button> <script> function getContentsOfPasswordField() { return jQuery("input#password").val(); } jQuery("button#pwdButton").on("click", function() { window.password = getContentsOfPasswordField(); alert(" " + password + " stored in global var window.password") }); </script>
In this example the password variable is global and persists for the lifetime of the page, just to make it as open-to-attack as possible and give the worst-case scenario. Perhaps limiting the scope/lifetime of the variable can shield it from certain classes of attacks?
http://www.symantec.com/connect/blogs/getting-sassy-xss-part-1-keystroke-logging http://www.symantec.com/connect/blogs/getting-sassy-xss-part-1-keystroke-logging
Please note the point of the question is not really whether or not doing this is a bad practice, this is more of a fundamental question about client-side web app security :)