|
|
|
|
|
|
by gruez
2125 days ago
|
|
|
>Maybe there should be? How do you prevent a website from faking the address bar? The only reason that you can trust address bars right now is that the website can't draw outside the content frame. There's already attacks on mobile[1] involving fake address bars because the address bar can be hidden, allowing the site to draw a fake address bar in its place. The only secure way to do it would be to opening another window (like when you try to use sign in with google), but that still has the issue that lots of legacy sites won't use this security feature, so users will still happily enter in their credit card numbers. [1] https://jameshfisher.com/2019/04/27/the-inception-bar-a-new-... |
|
|
Well, my suggestion was to add additional URL(s) into the same address bar that already exists at the top. (Hence the breadcrumb widget.)
My original motivation was to not wreck the layout of pages that are currently counting on the inside of the iframe to be big enough to hold all the expected content.
But it also protects the additional URL(s) from being drawn over because you already can't draw over the address bar.
That mobile address bar hiding hack is pretty scary, though.