Thanks for your reply.
[This is half of a reply to your last message. The other half is
in my next message; i'm just trying to keep topics organized.]
On Tue, 1 Mar 2005, Gervase Markham wrote:
> Ka-Ping Yee wrote:
> > 3. Domain name. Firefox extracts the domain name reliably and displays
> > it separately in the status bar, thereby circumventing user errors
> > in parsing the URL. But the domain name is only shown for SSL pages,
>
> This may change in the future; I'm talking to dveditz about it.
That would be cool.
> > and the status bar isn't always visible; though it cannot be turned
> > off by an attacker, it can still be turned off by the user,
>
> Yes - we still allow the user that choice. But then it's their action.
Right. That general principle is okay by me; i just wanted to describe
clearly what the current situation is.
However, i just discovered that once the menu bar is gone, i can't
figure out any way to get it back. Am i missing something? If there
really is no way to get it back, that would also seem to be a problem --
i might really want to check the site i'm at before proceeding, yet not
be able to turn the status bar on because the menu bar is gone.
> > and it always disappears if the window height is reduced to less
> > than about 150 pixels.
>
> There is a minimum size for popup windows; we need to make sure the
> status bar is visible even at that size. If it's not, please file a bug.
It disappears for me with Firefox 1.0.1. Try
http://zesty.ca/popup.html
and click on the button -- do you get a popup with no status bar?
(If anyone else can confirm my results, let me know and i'll file a bug.)
When the status bar disappears because the window is too small, there's
also no indication of how to get it back. You'd have to just know that
you need to enlarge the window. And if, as in this example, the window
is not resizable, you're really stuck.
I didn't realize there was supposed to be a minimum size for popups.
I don't understand the reasoning. Why make the status bar disappear in
some situations and then try to prevent those situations from happening?
Wouldn't it be simpler just to not make the status bar disappear?
> > It is slightly unfortunate that the domain name is shown
> > in a sans-serif typeface where the lowercase "l" is indistinguishable
> > from an uppercase "I", though this isn't an issue if the user trusts
> > that domain names are always shown in lowercase.
>
> IMO, we should always show domain names in lowercase.
I agree.
The potential issue is that one can spoof "interbank.com" by registering
"lnterbank.com". A user expecting to go to Interbank might glance at the
status bar and see what appears to be "Interbank.com".
If users *know* for sure that the domain name is always shown in
lowercase, then they might notice the spoof. They might not be that
sharp, though.
Sure, this is only going to be an issue for domains that start with "i",
but it doesn't cost anything to choose a better font. As long as we're
trying to show the domain, why not try to be as clear as possible?
-- ?!ng
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
