[adrianmonk]

> There isn't an "address bar" for iframes

Maybe there should be? If it's important to know what site you're looking at in a top level page, the same thing should apply to an embedded one.

Often when I learn about web security, it seems like the user agent abdicates responsibility to be an agent for the user.

Probably a case where it's more obvious in hindsight why this is important, but it could still be retrofitted. Maybe there's a better way, but for example, a browser could make the address bar a breadcrumb widget using multiple URLs to depict the iframe nesting.

[gruez]

>Maybe there should be?

How do you prevent a website from faking the address bar? The only reason that you can trust address bars right now is that the website can't draw outside the content frame. There's already attacks on mobile[1] involving fake address bars because the address bar can be hidden, allowing the site to draw a fake address bar in its place. The only secure way to do it would be to opening another window (like when you try to use sign in with google), but that still has the issue that lots of legacy sites won't use this security feature, so users will still happily enter in their credit card numbers.

[1] https://jameshfisher.com/2019/04/27/the-inception-bar-a-new-...

[adrianmonk]

> How do you prevent a website from faking the address bar?

Well, my suggestion was to add additional URL(s) into the same address bar that already exists at the top. (Hence the breadcrumb widget.)

My original motivation was to not wreck the layout of pages that are currently counting on the inside of the iframe to be big enough to hold all the expected content.

But it also protects the additional URL(s) from being drawn over because you already can't draw over the address bar.

That mobile address bar hiding hack is pretty scary, though.