Is an overlay more susceptible to phishing? - javascript

Working on a web development project, functionality requires a user to navigate through the website then login and perform a very sensitive function. The login and subsequent functionality is hosted on a different site (sorry I can'be be more specific due to sensitivity)
Choices considered for the UI are:
A javascript overlay
A popup
Load in the full page
The current development and prototype user testing has been on an overlay with no problems. There is concern that an overlay does not show the address bar and the SSL certificate therefore is more susceptible to phishing.
A popup or a full page would be better in this respect but I have read studies that show users do not pay attention to passive indicators:
http://www.usablesecurity.org/emperor/
Popups also have the problem with popup blockers, the overlay looks the best and provides the least disruptive user experience, i.e. user feels they have not left the original site
So what is the best option considering security, usability and design?
Related question: is there any problems with loading an iframe within an overlay? e.g. scrollbars etc?
Edit: The question is more how to present the secure login page on an overlay, a popup or redirect to load the login in the full page. I'll edit the question to make this clear
Edit: Any links to research or studies showing increased phishing if an overlay is used would be very useful for making the case

Just redirect the user to login on the secure login page and customize its look. Make sure the secure login pages url are the same every time. You might wanna have a look at how Stack Overflow (a big website for programmers) handle logins with OpenIDs.

Related

Forcing a user to authenticate using a pop-up

I have a page I want only authenticated users can come to. Also I want to authenticate them using a pop-up when they come to that page, say, twitter bootsrap or foundation. How can I do that if a user can just close it? It's unreliable, isn't it?
There is a risk that the user changes the css properties of your live page, to make it invisible pop-up. A simple tool like Firebug makes this possible. Authentications pages are safer in a page intended for this purpose.

how to open pop up form on close browser event

I have a form I like to open in pop up windows when user close my website or browser .. I want like to take feedback from users by pop up form like "give your comments how we can improve our website" and then with php I will submit the form and admin of website will get users feedback.
I am stuck here and fail to find JS code that open popup form on close browser event.
can any one help me out.
Stop wanting to do that. Imagine how horrible the user experience would be for the whole web if it were possible to do that. If it was already possible, a rampaging mob with flaming torches and pitchforks would demand it be fixed immediately. Be thankful that there is no satisfactory answer to your question.
What have you tried so far?
Here is one approach, but user may be able to disable it, and may be blocked by popup blockers (not to mention a whole ethics debate, but hey... you asked):
From main page:
<script>
window.onbeforeunload = function()
{
var url = "feedback_form.html";
window.open(url, "_blank", "toolbar=yes, scrollbars=yes, resizable=yes, top=500, left=500, width=400, height=400");
};
</script>
Confirmed that this code works in IE9, Chrome, and Firefox with the popup blocker disabled.
Usability concerns and other thoughts:
This will usually annoy people and is considered evil.
This approach relies on popup blocker being disabled (if using a browser that supports it)
Feedback is voluntary when sourcing from a crowd (your users) like this. Therefore you should make it more of an option. Many sites do a side-floater or hyperlink for "Add your Feedback" or whatever. I would recommend going this route instead of relying on closing the browser.
This code will fire on closing the browser, but will also fire whenever user leaves the page, including POSTing form data and navigation to other pages on your site.
One interesting application for this could be to send some metrics to your server via an AJAX call on window close instead (like recording how long user visited page, what actions they performed, etc.) that could be used in addition to the voluntary feedback form to learn more about what your users are doing on the site.
It is not uncommon for enterprise intranet web applications to do stuff like this (manipulate browser windows), and often those sites / domains will be added to the trusted sites for the client computer, which may include disabling the popup blocker.

AJAX - Modal Popup Not In Generated Source - How'd They Do That?

On the Bloomberg.com site, in the top right of the homepage there is a 'Sign In' link (next to their search textbox). Upon clicking the link a simple-looking modal popup appears into which one can enter one's sign-in credentials. Clean, elegant. With the popup still visible I did a generated source check and there's no evidence of the modal popup html anywhere in it. I'm wondering why the modal popup source is missing and, assuming it's coming from somewhere else, where it's coming from. Can someone please explain it?
More generally I assume that Bloomberg's login dialog is ultimately transmitting its user data on an encrypted basis. The home page itself is rendering as a standard http. Is there some hidden - and secure, presumably https - means by which this site, and others I'm sure, is accomplishing its modal information gathering and posting, securely and distinct from the base homepage? Any clarifications on how this is happening and the best practices for coding it would be appreciated. Thanks!
-- Rick
The popup is actually just presenting an iframe of this URL:
https://login.bloomberg.com/api/login?skin=&rt=http%3A%2F%2Fwww.bloomberg.com%2F&cc=0.13446950796060264
(And the iframe itself is presented over HTTPS, which covers the security issue you mentioned)

Fancybox - implementing backward and forward for iFrames

I'm using Fancybox to display webpages through an iFrame. Those webpages are like a little information network: they're calling each other via links, and the user can circle through them.
I wanted to implement back et forth buttons: I did it by putting those buttons directly inside the displayed page, and working with the history (history.go(-1)) : that works, as long as the browser behaves in the way they do with iFrames.
However, there's a problem: if the user clicks on the back button and is on the first page of his navigation, it will bring him back out of the website itself (as, out of the fancy box, it's a one-page website).
As for security purpose you cannot have access to the history and test it to avoid that, is there a way to find out if the user will get out of the domain if he does a step more? Document.referent doesn't seem to work in the context of Fancybox and iFrames…
Thanks A LOT, I tried many (mainly stupid things), including a javascript session with window.name (see how desperate I am ?) !

WordPress Language Page

I've installed WordPress and played with it for a while. And I got a question how I can make a top page which let visitors to choose their languages.
Let's say there ware two languages for a website, English and Japanese. When a visitor opens the domain root(http://example.com), a selection page appears. If English is clicked, it redirects to the page "http://example.com/en", which has been created by WordPress's page feature(permalink). If it is Japanese, it goes to example(dot)com/jp."
This kind of page is annoying and most of the time useless. As you can automatically detect user browser language and/or ip location, or display a language switcher anywhere in your website.
If you need it anyway, you can try WPML plugin (or other free alternative, if you find one...).
Then you can easily test if you have a detected language and if there is not, display your language chooser.

Categories