Closed japit closed 9 years ago
Comment received to expand FDP_PST_EXT.1 to mandate safe handling of auto-complete and password storage. FMT_MOF_EXT.1 addresses the following options/requirements:
Auto complete can be disabled. Comment considered partially accepted based on FMT_MOF_EXT.1.
An attacker who compromises the browser may be able to retrieve usernames and passwords stored for auto-completion, even if those credentials are stored by the underlying platform. At the same time, even if usernames and passwords are not stored for autocompletion, a determined attacker may persist until the username and passwords are manually entered and collect them at that time.