On Wed, Jan 11, 2012 at 4:43 PM, Happy Melon happy.melon.wiki@gmail.com wrote:
Yes, no user-editable scripts are run on pages where password forms reside, because it is trivially easy for users to use them to introduce password-sniffing JS attacks, either deliberately or inadvertantly. Or that's the idea, at least; IIRC there's an open bug about gadgets running somewhere they probably shouldn't, etc.
Yep, you're looking at bug 10005[0]. This applies to password reset pages, preferences (last I checked) and user login.
-Chad