- From: Matthew S. Raymond <mattraymond@earthlink.net>
- Date: Wed, 16 Jun 2004 15:27:12 -0400
Ian Hickson wrote: > On Thu, 10 Jun 2004, Matthew Raymond wrote: >>I think you almost have it, but not quite. Web apps can already >>bring up windows that don't have the chrome in IE 6.0 RIGHT NOW! > > Yeah, but Microsoft have announced that they are pretty much removing that > feature, and with good reason. It has been used by phishing gangs to gain > credit card details. For example: > > http://www.antiphishing.org/phishing_archive/04-29-04_Citibank_(Citibank_Security_Update).html I don't really see the problem. As I stated before, the idea would be to set standards for popup blocking that would handle chromeless popups. In this case, the user would likely be prompted to allow the site in question (http://citibank-validate.info/) to display a chromeless popup. I admit, though, that the link could convince some people that it's a legitimate Citibank URL, but the user still may notice that... 1) The domain doesn't match the visible link. http://web.da-us.citibank.com != http://citibank-validate.info/ 2) The domain doesn't match the URL of the main Citibank site that the user is redirected to. http://www.citibank.com != http://citibank-validate.info/ Can you point me to the press release or article where it says MS is removing support for chromeless windows, or is this something you heard from MS employees behind the scenes? Will this be part of a service release for IE6, or is it going into IE7? >>Here's the general idea: Instead of having the above dialog example >>triggered by a new "application" attribute, we simply detect whenever >>Javascript tries to create a window with no chrome, or when a web >>application contains Javascript that removes the chrome from its own >>window. This approach allows makers of popup-blocking software (which >>will soon include Microsoft) to control these kinds of applications >>without having to support new markup. > > You can indeed do that. The idea, however, is to require less scripting in > the future, by implementing common things like this natively in new > browsers and using well-tested libraries for Windows IE6. I see, you want a way that the HTML document itself can set the state of the window chrome in case Javascript is disabled (or you have an author who doesn't know a lot about using Javascript, but does know forms). Makes sense. Still, if MS is removing the ability to even have chromeless windows, we won't be able to make this work either without some kind of plug-in or something. Also, the old Javascript methods of removing chrome need to be supported for backwards compatibility. I do see what you're getting at, though. I agree that the application attribute should probably be added.
Received on Wednesday, 16 June 2004 12:27:12 UTC