20070606

Firefox 3 Screen Mockups - One fix is no fix

Link

One of the potential new features of Firefox 3 is that the location bar will be substantially changed. One of the changes possibly on the plate is to gray out all of the location bar except for the domain + tld of the content. I have two problems with this:

1) If mysite.com has an XSS vulnerability, attackers, rather than sending the user to another site, will typically use mysite.com itself to render the new page they want. So the result would look something like:
http://www.mygoodsite.com/redirect.foo?url=[maliciousscript]
See the image at http://people.mozilla.com/~faaborg/files/20070602-firefox3UIFeatures/locationBar.jpg
And it would look like I was visiting goodsite.com. Now, their reasoning for doing it was sound - sometimes when you visit a malicious site, they use visual cues in the location bar to make you think you're not at the malicious site.
2) The location bar doesn't tell you where all the content is coming from.

0 comments: