- From: timeless <timeless@gmail.com>
- Date: Sun, 13 Jun 2010 11:33:25 +0300
- To: Michael Nordman <michaeln@google.com>, Tab Atkins Jr <jackalmage@gmail.com>
- Cc: Jonas Sicking <jonas@sicking.cc>, Adrian Bateman <adrianba@microsoft.com>, "arun@mozilla.com" <arun@mozilla.com>, Jian Li <jianli@chromium.org>, Web Applications Working Group WG <public-webapps@w3.org>, public-device-apis <public-device-apis@w3.org>
On Fri, Jun 11, 2010 at 10:04 PM, Michael Nordman <michaeln@google.com> wrote: > Another advantage is that... > blobdata://http_responsible_party.org:80/3699b4a0-e43e-4cec-b87b-82b6f83dd752 > > ... makes it clear to the end user who the responsible party is when these > urls are visible in the user interface. (location bar, tooltips, etc). It doesn't, it just means yet another way for scripts to confuse the user. Every time we provide a string whose domain is in control of a domain, the set of evil uses increases as evil groups set up more interesting domains and trick users for another two or three years. With browsers targeting smaller devices, as well as users who are less familiar with the web, or even experienced users who missed memos about IDN, these "improvements" just cause more problems. Tab: I'd like to specifically call you out for your inclusion of: http://www.詹姆斯.com/blog/2010/06/html5-atom-gone-wrong, a comparison in a recent email. .COM does not allow IDN and you should not have used that. I know someone was being cute, but that doesn't justify confusing users. I don't have time to construct a similarly written domain which happens to go to my own spoof, nor am I going to invest the ~9 USD that it would cost to do so, but it is perfectly reasonable for someone else to do so. The time it would take is probably around 10mins including picking a similar character, registering the domain, and posting content. It's true that this spoof would not fool all of the people all of the time, but it would probably fool most of the people most of the time.
Received on Sunday, 13 June 2010 08:34:07 UTC