Re: FYI - Planned change to default handling of username:password@server in URLs
From: Roland Hall (nobody_at_nowhere)
Date: 02/04/04
- Next message: F_at_yy@Z: ".js File"
- Previous message: Roland Hall: "Re: URGENT: Link from within one frameset to a sub-page of another frameset."
- In reply to: Lasse Reichstein Nielsen: "Re: FYI - Planned change to default handling of username:password@server in URLs"
- Next in thread: Daniel Powell: "Re: FYI - Planned change to default handling of username:password@server in URLs"
- Reply: Daniel Powell: "Re: FYI - Planned change to default handling of username:password@server in URLs"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 3 Feb 2004 22:38:29 -0600
"Lasse Reichstein Nielsen" wrote:
: > and it seems that the reason this patch was released for basically
: > a COSMETIC fix because people though they saw a different URL on
: > their status bar of all things.
:
: Not just a cosmetic problem. The address in the address bar could even
: be faked, which is a serious security problem.
That's not what I read. It IS just a cosmetic problem if you have an
updated browser.
=---
Note In this case, Internet Explorer 6 Service Pack 1 (SP1) and Internet
Explorer 6 for Windows Server 2003 only display "http://example.com" in the
Address bar. However, earlier versions of Internet Explorer display
"http://www.wingtiptoys.com@example.com" in the Address bar.
---=
It will still redirect you but if the link is disguised, you still need to
look at the code. This is a false sense of security that will hurt more
than it will help.
How many people do you think read the source code before clicking on a link?
I would be surprised if it was 1%. So, a link disguised, which still can be
is no different now than it was before.
It could have easily been a setting in your options, under the security tab,
like it is for email attachments in OE, so you could turn it on if you
wanted but yet Microsoft, once again, thought they knew what's best for you.
It was a ridiculous modification.
Ya, hindsight is great. Don't depend on non-standards. If that is true
then we need to dump Microsoft because they set their own standards
consistently. That is a weak argument.
Here you go. Let's see if the user is anymore secure.
http://kiddanger.com/lab/where.html
-- Roland Hall /* This information is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. */ Technet Script Center - http://www.microsoft.com/technet/scriptcenter/ WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp MSDN Library - http://msdn.microsoft.com/library/default.asp
- Next message: F_at_yy@Z: ".js File"
- Previous message: Roland Hall: "Re: URGENT: Link from within one frameset to a sub-page of another frameset."
- In reply to: Lasse Reichstein Nielsen: "Re: FYI - Planned change to default handling of username:password@server in URLs"
- Next in thread: Daniel Powell: "Re: FYI - Planned change to default handling of username:password@server in URLs"
- Reply: Daniel Powell: "Re: FYI - Planned change to default handling of username:password@server in URLs"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
|
