> > Tell me, why can't you change the URL dynamically? Why is it such a > > danger? (aside from the aforementioned problem) > This I don't know... but maybe even keeping the location in-domain > could be a security hazard, as some sites could be controlled by > different people in different directories, some you trust and some you > wouldn't...?
I think I have an answer: imagine if you have a "My bank" link in a site you don't completely trust, you check in your statusbar if the URL is trustful (i.e. address = http://www.mybank.com) and you think it is. But when you click, there's a JS that changes the URL and redirects you on a phishing site; you trusted the link, why can't you trust the site? You can imagine the rest...
