Scott Taylor <[EMAIL PROTECTED]> wrote: > Wouldn't it make sense to accept [EMAIL PROTECTED], but NOT DISPLAY IT on the > address bar? so even if someone clicks on a shady link, they don't see > http://[EMAIL PROTECTED], they only see http://crooks.com on their > address bar? And with all those miserable encoded characters translated > back to plaintext too. Yeah I know. silly idea. Just too bloody obvious > I guess.
Let's see... First, you are proposing that IE have a non-standards compliant behaviour re-instated? That is bad for several reasons already discussed. Second, you are suggesting that IE should hide the fact that there is some kind of authentication involved. That is really stupid as it is a sure bet that many clue-deprived web developers (you can read comments from some of them in Lemos' article to get an idea of the level of lack of care for security they _already_ have) will then see the mechanism as _more secure_ "because the user credentials are not displayed". These are a similar kind of moron to those web designers who think disabling left-click with JavaScript and using those trivial client- side runtime "decryption" scripts make their web page design tricks and/or script code "invisible" to others. Third, I agree it would be a good idea if all encoded characters that can be rendered in the browser's address or status bar as "displayable" characters should be rendered thus, rather than left encoded. AFAIR, is how Mozilla, and I think Opera, already handles such situations. Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
