[Fwd: Re: [whatwg] Chrome, Security and Popup Blocking] from Matthew S. Raymond on 2004-06-16 (public-whatwg-archive@w3.org from June 2004)

From: Matthew S. Raymond <mattraymond@earthlink.net>
Date: Wed, 16 Jun 2004 15:27:12 -0400
Message-ID: <40D09F10.1070401@earthlink.net>

Ian Hickson wrote:
> On Thu, 10 Jun 2004, Matthew Raymond wrote:
>>I think you almost have it, but not quite. Web apps can already
>>bring up windows that don't have the chrome in IE 6.0 RIGHT NOW!
> 
> Yeah, but Microsoft have announced that they are pretty much removing that
> feature, and with good reason. It has been used by phishing gangs to gain
> credit card details. For example:
> 
>    http://www.antiphishing.org/phishing_archive/04-29-04_Citibank_(Citibank_Security_Update).html

    I don't really see the problem. As I stated before, the idea would
be  to set standards for popup blocking that would handle chromeless
popups. In this case, the user would likely be prompted to allow the
site in question (http://citibank-validate.info/) to display a
chromeless popup. I admit, though, that the link could convince some
people that it's a legitimate Citibank URL, but the user still may
notice that...

1) The domain doesn't match the visible link.

    http://web.da-us.citibank.com != http://citibank-validate.info/

2) The domain doesn't match the URL of the main Citibank site that the
user is redirected to.

    http://www.citibank.com != http://citibank-validate.info/

    Can you point me to the press release or article where it says MS is
removing support for chromeless windows, or is this something you heard
from MS employees behind the scenes? Will this be part of a service
release for IE6, or is it going into IE7?

>>Here's the general idea: Instead of having the above dialog example
>>triggered by a new "application" attribute, we simply detect whenever
>>Javascript tries to create a window with no chrome, or when a web
>>application contains Javascript that removes the chrome from its own
>>window. This approach allows makers of popup-blocking software (which
>>will soon include Microsoft) to control these kinds of applications
>>without having to support new markup.
> 
> You can indeed do that. The idea, however, is to require less scripting in
> the future, by implementing common things like this natively in new
> browsers and using well-tested libraries for Windows IE6.

    I see, you want a way that the HTML document itself can set the
state of the window chrome in case Javascript is disabled (or you have
an author who doesn't know a lot about using Javascript, but does know
forms). Makes sense. Still, if MS is removing the ability to even have
chromeless windows, we won't be able to make this work either without
some kind of plug-in or something. Also, the old Javascript methods of
removing chrome need to be supported for backwards compatibility.

    I do see what you're getting at, though. I agree that the
application attribute should probably be added.

Received on Wednesday, 16 June 2004 12:27:12 UTC