Virtual Karma points at one not quite pleasant feature of asynchronous JavaScript, and if you liked Gmail’s auto-save, you’ll like the ability of a phishing site to save the form data half-way through the process.
So you click on the link, go to a Web site that supposedly represents the bank, halfway through you realize this is not a real Bank web site, since your bank never used tripod.com as its hosting provider, and then you’re ready to close the window… Ooops! The data, whatever was entered, has been carefully auto-saved onto the remote server.
The paranoid solution would be to turn off JavaScript for every site out there and allow it for the ones that require it and won’t work otherwise. No wonder NoScript is one of the most popular extensions out there.
