[PATCH] disallow hiding of statusbar
George Staikos
staikos at kde.org
Thu Jul 28 23:38:33 BST 2005
For security purposes, I don't think it's safe to allow websites to hide
all UI elements of the browser window. This patch implements it in a safe way
(and leaves a friendly reminder for the next developer who tries to "fix"
this bug). With this patch, it is very difficult for a web page to mimic a
native app, or even mimic the Konqueror statusbar. In other words, it's an
anti-phishing mechanism. The next step is to remove all page state items
from the toolbars, because they are still removeable and therefore can be
mimiced. If anyone has trouble believing this, it's quite easy to make a
flash applet or other DHTML hack that demonstrates how to fool a user into
thinking he's using SSL.
As a migration technique, I think the first time a user goes to an SSL site
after upgrading from a previous KDE version, they should get a one-time only
messagebox that explains the UI changes (in particular, the moving of the
padlock to the statusbar).
My understanding is that IE 6 sp2 should also force the statusbar on at all
times, though I was able to write a proof of concept that seems to circumvent
this (and also demonstrate some painting bugs).
It's time to clean this up and I'd like to do it ASAP. Any objections or
comments?
--
George Staikos
KDE Developer http://www.kde.org/
Staikos Computing Services Inc. http://www.staikos.net/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: statusbaryes.patch
Type: text/x-diff
Size: 1080 bytes
Desc: not available
URL: <https://mail.kde.org/mailman/private/kfm-devel/attachments/20050728/a1e54309/attachment.patch>
More information about the kfm-devel
mailing list