On Wed, Jan 11, 2012 at 4:43 PM, Happy Melon <happy.melon.wiki(a)gmail.com> wrote:
Yes, no user-editable scripts are run on pages where
password forms reside,
because it is trivially easy for users to use them to introduce
password-sniffing JS attacks, either deliberately or inadvertantly. Or
that's the idea, at least; IIRC there's an open bug about gadgets running
somewhere they probably shouldn't, etc.
Yep, you're looking at bug 10005. This applies to password reset pages,
preferences (last I checked) and user login.