Comment #7 on issue 25728 by lcamtuf: Page doesn't "open" with Google Chrome http://code.google.com/p/chromium/issues/detail?id=25728
The behavior of MSIE seems pretty bad, because it does not tell the user at all what site the message is related to. Imagine I navigated to http://example.com, I'm presented with a top-level infobar warning... I have no sensitive data with example.com, so I click through. Too bad the frame pointed to MITMed https://mail.google.com. Bye, mail! Firefox is a bit better behaved, as it explains the URL in the window; *but* the interstitial is contained in a frame, so as Adam points out, it is susceptible to clickjacking at the very least (oops). A solution that uses a top-level interstitial *AND* clearly explains which site the message is related to could be at least theoretically safe; but it probably puts too much faith in the ability for a casual user to understand what's going on. Many users who do not understand HTTPS well will click through based on their intent ("I was going to see http://example.com, so let me!"). I can't think of a way to explain https:// IFRAMEs on third-party http:// pages well in a sentence or two... So the bottom line is, I think the approach in MSIE and Firefox is dangerous, and we may try talking to them instead. Our approach is probably best, but obviously not perfect. /mz -- You received this message because you are listed in the owner or CC fields of this issue, or because you starred this issue. You may adjust your issue notification preferences at: http://code.google.com/hosting/settings --~--~---------~--~----~------------~-------~--~----~ Automated mail from issue updates at http://crbug.com/ Subscription options: http://groups.google.com/group/chromium-bugs -~----------~----~----~----~------~----~------~--~---
