- From: Ian Hickson <ian@hixie.ch>
- Date: Fri, 8 Jun 2012 17:18:40 +0000 (UTC)
- To: Biju <bijumaillist@gmail.com>, Rick Waldron <waldron.rick@gmail.com>
- Cc: whatwg <whatwg@whatwg.org>
On Mon, 5 Mar 2012, Biju wrote: > > Today I again landed on a malicious site which trap users using > alert/confirm to download some application. On Mon, 5 Mar 2012, Rick Waldron wrote: > > All three of these are considered highly effective tools in mobile web > development - they offer functional "UI" for free. On Tue, 6 Mar 2012, Biju wrote: > > along with window.open() malicious sites also love those features. to > make browsing safe (especially for kids, non techies) we need to ban > alert/confirm/prompt > > And we should have an alternative to window.open() > may by a CONTROL attribute for <IFRAME> tag. > > ie, > > <IFRAME src="http://google.com" CONTROL> </IFRAME> > > will create a dragable/movable IFRAME with title bar, a pop-up button. > If user clicks on pop-up button it pops out of the webpage. I don't think there's any reason to believe that malware authors would be any less able to use that kind of UI than alert(). Historically, the problem with alert() and friends is that they are implemented in a bit of a blunt manner. However, this has been improving. Browsers offer to abort the script, browsers keep them modal to less than the entire browser, browsers detect abuse patterns like multiple alerts in a row, etc. Practically speaking, we can't stop supporting them. Lots of the Web rely on them. So there's no point deprecating them, it wouldn't change anything. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 8 June 2012 17:19:11 UTC