[whatwg] Why not JavaScript?

Ian Hickson ian at hixie.ch
Thu Jun 10 05:43:33 PDT 2004

On Thu, 10 Jun 2004, Matthew Raymond wrote:
> Ian Hickson wrote:
>> I really don't think you can do a native application feel over the Web.
>> If you drop the Web browser "prison", it is too easy to spoof UIs and
>> trick users into entering private data into untrusted apps (even if you
>> have technically sandboxed the applications).
> I'm not convinced you can actually avoid this. I've already seen IE
> popups that can only be distinguished from system messages and other
> common Windows dialogs by the border.

This is why browsers are considering not allowing pages to disable the
location bar, menu bar, etc.

> I've also seen web pages that look almost identical to other web pages.
> If we really want to prevent people from tricking us into launching
> malicious code, perhaps we should focus on the security model rather
> than restrict the UI.

The code is not malicious in a technical way. It's just spoofing another
site, and subverting the password or PIN collection. There is no technical
way of reliably detecting this, since these sites are basically identical
to legitimate sites, by design.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list