Why am I allowed to login into say, Trello.com, while I am on surfly.com domain? Shouldn't my browser's cross-domain security policy prohibit this practice?
Is it all being done through a proxy? If so, is it not true that a lot of sites don't work over proxy?
[Edit] And if it is indeed proxy, doesn't that mean you can read my password(s) in clear text?
The connection to the proxy is encrypted and if the site you login also uses https, your password will never be send in clear text over the wire. Since form submissions are not actually replayed on the viewer's side, we only keep them for the time of the request and only in memory. For those companies who want to control the security fully we are working on a on a solution that can be installed on-premise.
