Brian Candler writes: [...]
> So, it does *not* appear to use frames to maintain security. It does try > to use a different method (but one which would probably be bypassed if > you went directly to the webmail URL) I tried it. The page with full URL does show up in the history, and can be clicked on to get back there. I can't say I'd like to rely on JavaScript being present for security either, even if it actually provided the security he thinks it does, since JavaScript can be disabled (and often is by people who are sick of advertising pop-ups). You could make the page so it cannot function correctly without JavaScript, then you lock out Lynx and possibly other user agents (especially if you use browser detection instead of object detection to try to be compatible with many browsers). And I certainly do NOT want the toolbar disabled on a page I use a lot. It might (just) be acceptable in some circumstances, like a pop-up in a on-line purchasing system that confierms what has been added to your cart, but is not acceptable here. It looks like my original assessment was correct after all. Except I have to revise it to add that he either does not understand the changes he has made or he was dishonest in his message to me. Neither of which convince me that Riwos is at all trustworthy or ever will be. Perhaps he has changed other aspects of the code so that dangerous URLs are no longer exposed but that's not what he said. Maybe this is an artefact of his test system and the real thing does really use frames for security, but I doubt it. -- Paul Allen Softflare Support
