> They may be in the minority, but there *are* users out there who know how to > look at the address bar. The security researcher knows this because he is > one of them. I call this group the "competent and contentious users".
Sure. And that group is sort of safe when faced with open redirectors, mouseover tooltips, etc - well, modulo funny corner cases like this: http://lcamtuf.coredump.cx/switch/ ...or: http://lcamtuf.coredump.cx/switch/index2.html I have seen the "most users don't understand X anyway" as an argument against fixing X in the browser several times before, and I think that's wrong; but I'm not sure this is applicable here. /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/