Frank Hecker wrote:
What's your and Dan's motivation for doing that? Because the domain name as displayed in the address bar may be misleading (e.g., by people doing tricks to spoof the name as displayed)?
There were several reasons behind the decision. There is discussion in https://bugzilla.mozilla.org/show_bug.cgi?id=262366 . Basically:
1) Most phishers are currently not using SSL, and people are left parsing complex URLs in the URL bar.
2) Some important sites are not using SSL for their login pages - Yahoo apparently being one.
I have a Yahoo e-mail account, and that uses SSL for logins. Are you talking about the free Yahoo webmail or paid Yahoo e-mail accounts?
2) We need a way to brand every browser window so that it can't be confused with an OS window. Just the status bar - a featureless grey blob - doesn't really do that. Having the domain makes it clear.
There is, or should be, (for now) that Mozilla Firefox icon (at least on Windows) at the upper left corner of the window (I don't have a clue what the official for it is).
I'm still not really convinced it's a good idea, but the real reason I agreed to it, though, was that otherwise Dan was threatening to port his Firefox 1.0.1 patch which puts the URL in the _title_ bar on popups (as IE now does) over to the trunk. :-) And I figured that if we were determined to display the domain somewhere on insecure popups, at least we should:
- be consistent - keep security UI to the status bar, without letting it creep everywhere - avoid the problems IE has with their title bar implementation.
Gerv
_______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
