[whatwg] Chrome, Security and Popup Blocking

Ian Hickson ian at hixie.ch
Wed Jun 16 04:07:31 PDT 2004


On Thu, 10 Jun 2004, Matthew Raymond wrote:
>
> I think you almost have it, but not quite. Web apps can already
> bring up windows that don't have the chrome in IE 6.0 RIGHT NOW!

Yeah, but Microsoft have announced that they are pretty much removing that
feature, and with good reason. It has been used by phishing gangs to gain
credit card details. For example:

   http://www.antiphishing.org/phishing_archive/04-29-04_Citibank_(Citibank_Security_Update).html


> Here's the general idea: Instead of having the above dialog example
> triggered by a new "application" attribute, we simply detect whenever
> Javascript tries to create a window with no chrome, or when a web
> application contains Javascript that removes the chrome from its own
> window. This approach allows makers of popup-blocking software (which
> will soon include Microsoft) to control these kinds of applications
> without having to support new markup.

You can indeed do that. The idea, however, is to require less scripting in
the future, by implementing common things like this natively in new
browsers and using well-tested libraries for Windows IE6.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'



More information about the whatwg mailing list