All geek questions in one place

How can I convince my client that trying to hide the browser toolbar is a bad idea?

My client has a friend who performs “security testing,” and he tells them that the PHP Zend Framework application that I built for them should do this on the browser side:

  • hide location bar, toolbar, bookmarks, menu and back / forward button
  • disable right click

This is obviously a monumental bad idea. I pointed out that it hides the fact that the site is protected by SSL, that it is not necessary for browsers to abide by these requests, and that real crackers will still find a way around it, as this is a client hack.

In addition to the bad idea, is this possible? The main tests that I did show that this is only possible in versions prior to version 7, and not in Firefox, Safari, Chrome. The guy insists that this is possible in these browsers, I'm still waiting for proof of concept.

  • Is it possible? Either in a popup window, or in the same window.
  • Any usability examples that reject this approach?
  • Is there any support for this idea that is less than 5 years old?

Better, however: is there any really good demolition of this idea, especially from any source that is a security agency?

My client trusts this guy, so I need to find non-character counter arguments.

thanks

+4
source share
6 answers

Indicate that

  • Even if the back / forward buttons have disappeared, almost every GUI browser under the sun still has keyboard shortcuts that cannot be removed, for example, alt-leftarrow / alt-rightarrow for navigation, ctrl-d for bookmarks, etc.
  • Most browsers have the option "ignore disable right click" in their settings. 2a. If a right-click menu is available, it is trivial to get the URL of the current page, and just copy / paste it into a regular non-gimped window and continue as usual anyway.

Trying to achieve security by picking down windows, the people’s throat is bad. A good site will not like if you had a menu of files or bookmarks, and there would be no problem if you were available back / forward. Removing them simply covers bad design decisions.

All he does is remove the hammer from the grabs of users, but users still have a lot of stones lying around.

+10
source

I’m not sure how much this help will help, and I assume that you have some kind of contract about what kind of work will be provided. Just refuse to do it. Leave if you need to. If your client has a friend who is so inclined to perform such stupid tasks, let the client’s friend do this and move on.

It sounds as if you are in a situation where you need to go around or maybe start your client.

Personally, I would even accept the idea.

Good luck

+3
source

I agree that this is a monumental bad idea, mainly from a user interface perspective. By doing this, you are violating the implicit user / application contract, which states that the application should not interfere with the normal user interface more than necessary. In short, it rips people off.

It should be pretty easy to tear down the idea that it somehow adds security by simply coming up with a few demos of how you will get around this (see Marc B answer).

Another point is that if it were “best practice,” you would see a lot of people doing it there. You do not do this because it is not. Give a few examples of institutions that have a strong reputation in the field of security (banks, DOD website, etc.) and show that they do not need such things to be safe.

+1
source

In Chrome, this is possible, but only from the command line, and not through javascript.

For example, let's say Chrome is installed in c: /chrome/chrome.exe, then you can start your site using

c:/chrome/chrome.exe --app=http://mysite.com

This is useful for applications like Internal Web Application, but not for general web browsing.

0
source

As far as practical persuasion is concerned, ask also to demonstrate the site of your banks online accounting . Then compare the security approach (https) with the one used by online banking systems (https). If their bank uses some form of address or deletion of the status bar, then you can still use this approach. (There is only window.open and this is quite limited in the current browser configurations.)

Windows users perceive security visually. Offer your recommendations, follow the wishes of customers until they are harmful, and then leave. Do not try to educate unconvincing people.

0
source

Perhaps you can point out that Jacob Nielsen (PHd in interaction with the human computer) said this in terms of usability:

Designers open new browser windows according to the theory that it keeps users on their site. But even without paying attention to the user-hostile message implied when hijacking the user machine, the strategy is self-proclaimed, as it disables the back button, which is the usual way to return users to previous sites. Users often do not notice that a new window has opened, especially if they use a small monitor where the windows are maximized to fill the screen. Thus, a user who is trying to return to their original state will be confused with the "Back" button.

From: # 9 in the Top 10 Web Design Mistakes

0
source

Source: https://habr.com/ru/post/1340552/

More articles:


All Articles