matti writes: > The word "frames" is used once in the readme: > The riwos implementation does not use frames.
In the sqwebmail source you will find a file called SECURITY (or SECURITY.html if you prefer that). I suggest you read one or other of them. > I've added .... does not use frames to create the multi viewing setup. Please also add "and is therefore a SEVERE security risk." > You did. You also missed this: > All changes are focused on how to produce a good graphical output and > increased usability of the application. I am in favour of increased usability, but not when it results in a SEVERE security risk. It doesn't matter how good it looks and how usable it is if security is compromised. I am also worried by anyone who decides to recode an application without reading important files that document why certain design decisions had been taken and is also unable to figure out for himself why abandoning frames is a SEVERE security risk even without reading those files. I consider it essential to read a file called SECURITY before I install something, let alone if I want to mess with the code. Here's a hint for you. One of the reasons people want webmail is so that they can check their mail when away from their own computer, such as when making a business visit to a client or when in a library or cybercafe. In those environments, others will access the same computer after they have read their mail. Some people don't bother to log out after checking their mail with webmail, they just close the browser window. Without frames, in some circumstances, the brower history will allow other people to read that mail after the user has gone. With frames, this is not possible with most popular browsers. Here's another hint: if you looked at the URL as you used Riwos to deal with your mail, you ought to have figured this out without reading the SECURITY file. The whole point of frames in sqwebmail is to stop certain URLs appearing in the address bar and history. Your usability enhancements mean that the way webmail is used by ordinary people compromises their security. It is no good expecting them to logout rather than just closing the window. That too is a matter of usability - you have to cater for what people DO, not what you want them to do. Frames are almost always a bad thing. In this case, what is usually a major disadvantage of frames (that the content of the individual frames is not recorded in the history) is used to enhance security. Now, if you missed something as obvious as that, what might you have missed in your other changes that compromises security? I don't know, and I have no intention of doing a detailed comparison to find out. The one obvious mistake you made is enough to ensure that I will never install Riwos without me having to look for more reasons. -- Paul Allen Softflare Support
