Comment 6 for bug 387297
Revision history for this message
| Leonard Richardson (leonardr) wrote Re: manage-credentials should not ask for Launchpad password directly | #6 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
We considered a web widget, but it's not really any better than a custom client. A random app can show you some HTML that asks for your Launchpad password, just as a random app can ask for your Launchpad password directly.
We treat the browser as a trusted client not because it displays HTML, but because the user has already entered their Launchpad password into it many times. When a third-party application asks for the Launchpad password the user must make a decision to trust that application. When a third-party application spawns a new tab in the browser the user was already using, the user doesn't have to make that decision.
We're falling back to a position of a few standard non-browser clients mainly so that people don't write their own code. Since first commenting on this bug I've heard of third-party clients that eg. crawled through the user's Firefox profile looking for a saved Launchpad password. That's just sick.