> As I wrote in <http://launchpad.net/bugs/370248>: "For several years Web > browsers have insisted on showing the address bar, or the status bar, or > both, in any popup window as a way of distinguishing it from native > application windows. Can you provide a demo which avoids this security > measure?" > > In both Firefox and Chromium, the demo you have pointed to has not just > the browser's address bar *and* status bar, but also two title bars > rather than one. If you can provide a more convincing demo, please > attach it to the bug report.
OK, let me get this straight. Are you saying that all pop-up windows that appear to you in your browser have the window decorations around it? Could you please visit: http://www.popup-killer-review.com/windowless-swf.htm This show that it is possible to add a flash application on top of a web-page without any decorations.Given enough skill it ca have the right look, doesn't it? I do know any flash, so it would take quite some effort to create an example myself, but I think it is clear that what I talking about can be accomplished through flash. > As I wrote in <http://launchpad.net/bugs/332945>: "...assuming that > people will see a window that looks like the updates window, and behaves > like the updates window, but be able to tell that it's fake solely > because it opened automatically. I think that's quite unrealistic, > because it would require a much better memory for past actions than > people usually have. For example, if you open Update Manager yourself > but get a phone call and have to switch to another task in a hurry, and > don't return to Update Manager until the next day, you may have no > memory of opening it the previous day. (Expecting people to then close > it and reopen it, *just in case* the already-open instance was a fake > one, would be even less realistic.)" > OK. This is true, given a sufficiently convoluted scenario the user may forget that he has called the update-manager or not once he goes back to the computer. However this is not the most likely scenario. Most likely the user will be there using the computer when a malicious window pops up in the middle of the web page (probably he will be browsing and have recently moved to the malicious page where the pop-up lives). Then he can think: "weird, I do not remember calling update-manager (or any other adminstration window)". In the current state of affairs the user thinks "Here goes update-manager again...". So even though not having the pop-up behavior in administrative tasks would help us explain to user how to behave when they see weird pop-ups in their computers. Best, Paulo _______________________________________________ Mailing list: https://launchpad.net/~ayatana Post to : ayatana@lists.launchpad.net Unsubscribe : https://launchpad.net/~ayatana More help : https://help.launchpad.net/ListHelp
