- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Mon, 8 Aug 2016 12:09:48 +1000
- To: "Walter H." <Walter.H@mathemainzel.info>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On 8 August 2016 at 03:25, Walter H. <Walter.H@mathemainzel.info> wrote: > configured proxies are not the bug; why not just simpy use plain HTML? Because the problem we're trying to avoid is spoofing. The browser needs to own the UX for the page that appears or we risk showing something that could be mistaken for the real thing. A link and some text is maybe manageable. To Amos' point, branding is likely a step too far. Yielding that much control over pixels is probably not going to happen. And yes, this implies that we don't trust the proxy. If the user wanted bank.example.com and they got proxy.example then that looks like an attack.
Received on Monday, 8 August 2016 03:10:45 UTC