[larsu]

Firefox's html warnings in the browser's content window seem to make this particularly easy, though.

[thorax]

Yeah, I'd like to see these warnings move out of the HTML space and into the chrome in some difficult to mimic fashion.

[vog]

This is already happening for a long time. I remember some ad banners which looked like message boxes or download dialogs in Windows XP style.

(... which were easy to spot for me, because I'm using a completely different system)

[larsu]

You're right. But something like this would be harder to fake: http://www.mozilla.com/en-US/img/tignish/features/security-i...

[frio]

Yes and no. Mozilla's a bit screwed on this front, because they use XUL to render their interface - and, critically, the browser can render XUL pages. I don't have FF installed on this machine, but you should still be able to check it out at http://www.faser.net/mab/remote.cfm to see a demo of the feature.

It's a pretty cool feature, but it means that on Firefox, attackers should be able to emulate basically any chrome they want to.

[LordLandon]

To demonstrate, go to chrome://browser/content/browser.xul in firefox

[sid0]

Remote XUL is disabled in Firefox 4.