On Fri, Jun 12, 2015 at 3:32 PM, Michael Catanzaro <mcatanzaro@xxxxxxxxx> wrote: > On Fri, 2015-06-12 at 11:19 -0700, Andrew Lutomirski wrote: >> It wouldn't really have to be Firefox, but getting the browser chrome >> right to avoid trivial phishing attacks is critical, and all real >> browsers already do that fairly well, whereas the simple embedded web >> views (e.g. gnome-shell-portal-helper) get it nearly 100% wrong. > > Hi, it sounds like we have a problem to fix in gnome-shell-portal > -helper. What specifically are your requirements for the browser > chrome? I figure as long as the window title is something along the > lines of "Connect to wireless network" and the hotspot can't change > that, then we should be good? Barely. GNOME seems to do its best to hide window titles, so something like a URL bar is probably a better bet. Also, users are already (hopefully) trained to look for an indication in the URL bar that something is secure or insecure. > We could also put a short explanation of > what is going on in a GtkInfoBar to make it really stand out. I guess > the goal is to make the chrome distinctive enough that a user stops to > think "something is not right, don't enter password" when the captive > portal helper appears and displays google.com. But that's not even right. Suppose you have a captive portal that wants you to log in via your Google account. It can send you do https://accounts.google.com, and your browser can verify the certificate and show you an indication that the connection is secure. Then you really can safely enter your password. With the current gnome-shell-portal-helper, there is no chrome at all, which means that the captive portal gets to show its own chrome, and it could, for example, make the login window look exactly like Firefox. I bet that even the most sophisticated users lose in that case. I think the UI should look like a real browser except that it should clearly indicate that it's a "Log in to wireless network" browser in addition to showing a standard URL bar. https://bugzilla.gnome.org/show_bug.cgi?id=749197 > > FWIW the tech used for GNOME apps that need a web view is WebKitGTK+. Can that provide real chrome? --Andy -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
