LastPass Raises Insecure Login Form Warning on Login Page

[asayler]

Needs to be investigated. Probably a false-positive due to our use of the GET method for token fetching, but maybe the code can be adopted to avoid the warning.

Sparse details at https://lastpass.com/support.php?cmd=showfaq&id=7336.

[hexacyanide]

I haven't been able to reproduce this, although it clicked a while back that that while the form method property is defaulting to GET, the form is prevented from executing regardless. Considering practicality, I don't think the LastPass extension parses scripts in their extension, so it's probably possible to just trick it. Therefore, if the behavior shown in the image above still occurs, the line at login.html#L14 could be changed from:

<form class="form-login" role="form" name="loginform" id="loginform" action="">

To this:

<form class="form-login" role="form" name="loginform" id="loginform" method="POST">

I have not tested this, but it might be worth investigating.

[asayler]

I've only run into this intermittently, seemingly dependent on the version of Ubuntu I'm testing with. To be fair, I encounter on other (non-COG) sites as well, so I think the issue is really just lastPass being too pedantic about what they consider "secure". But if I can continue to duplicate it, I can try the form method hack.