W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2004

[whatwg] Why not JavaScript?

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 10 Jun 2004 12:43:33 +0000 (UTC)
Message-ID: <Pine.LNX.4.58.0406101241590.21800@dhalsim.dreamhost.com>
On Thu, 10 Jun 2004, Matthew Raymond wrote:
> Ian Hickson wrote:
>> I really don't think you can do a native application feel over the Web.
>> If you drop the Web browser "prison", it is too easy to spoof UIs and
>> trick users into entering private data into untrusted apps (even if you
>> have technically sandboxed the applications).
> I'm not convinced you can actually avoid this. I've already seen IE
> popups that can only be distinguished from system messages and other
> common Windows dialogs by the border.

This is why browsers are considering not allowing pages to disable the
location bar, menu bar, etc.

> I've also seen web pages that look almost identical to other web pages.
> If we really want to prevent people from tricking us into launching
> malicious code, perhaps we should focus on the security model rather
> than restrict the UI.

The code is not malicious in a technical way. It's just spoofing another
site, and subverting the password or PIN collection. There is no technical
way of reliably detecting this, since these sites are basically identical
to legitimate sites, by design.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 10 June 2004 05:43:33 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:34 UTC