Feedback wanted regarding prettyURL()
George Staikos
staikos at kde.org
Thu Aug 16 23:39:13 BST 2007
FYI Mozilla is working on a "location bar v2" where they visually
separate the elements when it doesn't have key focus. What dirk
provided might be a good step but I think a full solution will
require much more thought and work.
On 16-Aug-07, at 5:56 PM, Thiago Macieira wrote:
> Dirk Mueller wrote:
>> Hi,
>>
>> To avoid the latest announced url spoofing attacks in a general
>> way, I
>> suggested to shorten the username, to avoid that the user
>> misinterprets
>> the username actually as part of the hostname.
>>
>> this however breaks the url pretty badly: the username is not really
>> valid anymore. on the other hand, its unlikely that there will be a
>> very long username given, especially if no password has been added.
>>
>> Comments, opinions?
>
> Let me understand the objective:
>
> we want the UI to show a shortened username so that a spoofer doesn't
> write, for instance:
> http://www.kde.org%2Fdownload%2Flatest.php@spoofer-website.com
> which displays in Konqueror:
> http://www.kde.org/download/latest.php@spoofer-website.com
>
> First things first, I'd recommend leaving those %HH quoted. I'll check
> that QUrl in Qt4 does have that behaviour.
>
> Second, would be users fooled by the %2F there? Or %40?
>
> If so, then I agree with the patch. Pressing Enter on the Konqueror
> Location bar doesn't necessarily go to the same website as it is
> displaying.
>
> --
> Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
> PGP/GPG: 0x6EF45358; fingerprint:
> E067 918B B660 DBD1 105C 966C 33F5 F005 6EF4 5358
--
George Staikos
KDE Developer http://www.kde.org/
Staikos Computing Services Inc. http://www.staikos.net/
More information about the kde-core-devel
mailing list