On Thu, 2004-08-26 at 09:39, Bryan Clark wrote:
> On Thu, 2004-08-26 at 08:54 +0200, Nils Philippsen wrote:
> > That when some people are struggling to get the majority of
> > Windows-ridden persons _not_ to trust everything that's on a web page...
> > Well the idea is that there will be bugs and there will be security
> > holes and that I don't want to make it easier for the Black Hats to
> > exploit these by just popping up a nicely crafted web page. Just think
> > about the changes you need to do: now you have to check whether
> > following special links is allowed, therefore you have to remember that
> > a page is internal... With a dialog you get all of this for free and
> > trust me, people are not that scared by dialogs than you seem to think
> > ;-).
>
> javascript::alert("Phear") will look just like any alert dialog we
> create in the system and there are other dialog boxes that can be
> constructed via javascript that will be able to trick people in other
> interactions.
Admitted, but then that's a bug in the browsers -- anything originating
from a web page (which by definition is potentially hostile) should be
clearly distinguishable from everything else (e.g. big "JavaScript
Dialog:" prefix in the window title). Other than the web page itself
;-).
Nils
--
Nils Philippsen / Red Hat / nphilipp@xxxxxxxxxx
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." -- B. Franklin, 1759
PGP fingerprint: C4A8 9474 5C4C ADE3 2B8F 656D 47D8 9B65 6951 3011
