On Mon, Jan 18, 2010 at 7:31 AM, John Panzer <[email protected]> wrote:
> ...How many users actually check urls? How many are equipped to check > urls with Unicode characters? > > Would it be possible to get 99% of the security with an iframe plus a > button to pop out to a full window to complete the action? The latter > would be chosen by a self selected group of people who actually check > urls and are potentially giving up a high value password. I actually really like the way that the iPhone deals with this — it may not be ideal, but providing a real-only URL field seems like a nice compromise, where at least the user has SOME context for who's asking for their password: http://www.flickr.com/photos/factoryjoe/4287945431/ If the user is not going to check the URL or understand what it means, all the errors or warnings in the world aren't going to prevent that edge case that the browser's built-in protection system doesn't know about. Better is to make sure the user has *some* kind of contextual clue — and if they trust the client app anyway, then this is possibly about as good as we'll get with the tech that we currently have. Chris -- Chris Messina Open Web Advocate, Google Personal: http://factoryjoe.com Follow me on Twitter: http://twitter.com/chrismessina This email is: [ ] shareable [X] ask first [ ] private--
You received this message because you are subscribed to the Google Groups "OAuth" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to [email protected].
For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
