<div class="gmail_quote">On Thu, Apr 30, 2009 at 2:08 AM, David Christiansen <span dir="ltr"><<a href="mailto:openid-userexperience@davidchristiansen.com">openid-userexperience@davidchristiansen.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><span style="border-collapse:collapse">Hi All,</span><div><span style="border-collapse:collapse"><br></span></div><div>
<span style="border-collapse:collapse">T<span class="Apple-style-span" style="border-collapse: separate; ">rying to maintain a 'Can Do Attitude' here but I have personal reservations about going back to the days of browser pop-up windows - however I fully appreciate the reasoning behind the need to show an address bar to the user.</span></span></div>
</blockquote><div><br></div><div>This is absolutely critical, as phishing attacks are as prevalent as ever and will becoming increasingly so:</div><div><br></div><div><a href="http://www.thestandard.com/news/2009/04/29/facebook-phishing-attack-progress">http://www.thestandard.com/news/2009/04/29/facebook-phishing-attack-progress</a></div>
<div><a href="http://www.techcrunch.com/2009/04/30/new-phishing-attack-spreading-on-facebook-this-time-from-fbstarter/">http://www.techcrunch.com/2009/04/30/new-phishing-attack-spreading-on-facebook-this-time-from-fbstarter/</a></div>
<div><br></div><div>Folks have tried to argue that on trusted sites such inline dialogs are safe — especially between partners — and there's some truth to that. But I think the problem is that it allows for a certain kind of complacency to set in — and it takes away any indicators whatsoever that the user could use to try to evaluate whether to trust the login dialog presented to them.</div>
<div><br></div><div>That isn't to say that web security has become something of an oxymoron — but in the case where you can give people at least ONE familiar tool to evaluate their situation, I think we should.</div><div>
<br></div><div>Popups may not seem to be the ideal place to put the experience, but we have few other choices, and at least it works across browsers.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div><span style="border-collapse:collapse"><span class="Apple-style-span" style="border-collapse: separate; "></span></span></div>Tell me, how do we permanently avoid the pitfalls experienced back in the day (a couple of years ago) where pop-up blockers got in the way of every attempt to honestly launch a browser window from javascript. I know there are 'work around' to bypass pop-up blockers, but they only work until the pop-up blockers are updated. I guess this is why 'inline' windows became so popular.</blockquote>
<div><br></div><div>As long as the user clicks a link, the popup should launch. It doesn't require any special trickery or hacking.</div><div><br></div><div>Inline dialogs became popular because people could start building interfaces with AJAX and trust that most people would have a decent experience. Most of Facebook is written in Javascript — and I have no idea what the experience is like without Javascript turned on, but I imagine that, by and large, most people's experience of Facebook is enhanced by Javascript (if not MADE by Javascript).</div>
<div><br></div><div>Inline dialogs also allow you to take some interaction "without leaving the page" — cutting down latency and increasing efficiency since you didn't have to do a full page refresh. </div><div>
<br></div><div>In other words, inline windows were the result of improvements in technologies centered on user experience, not because popup blockers became so powerful (at least in my view).</div><div> </div><div><br></div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><br>So what we are needing - is an inline window...with an modal address bar :working:<br></blockquote><div><br></div>
<div>Well, this is a long way off — and really runs counter to the user experience that I think a lot of sites want.</div><div><br></div><div>Indeed, most sites would prefer better user experience over security (though they won't say that) and besides, setting those two things as opposites really is defeating all of our goals. As hard as it is to come by, we do need usable security — that doesn't necessarily completely compromise the user experience (see Windows VISTA).</div>
<div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><br>Another potential downside I can see is that we would also be mandating that the user's browser had javascript enabled, is this a good thing? maybe not even an issue.<br>
</blockquote><div><br></div><div>Again, I think this issue has been put to rest. We do need to think about mobile and set-top experiences, but nothing about the popup window should be impossible in non-Javascript environments.</div>
<div></div></div><div><br></div>Thanks for your comments. I do think that a way to better detect the source of an inline dialog would certainly be a nice browser enhancement, but given that we have to work with the web we have, it might be something to work on over the long term.<div>
<br></div><div>Chris<br><br clear="all"><br>-- <br>Chris Messina<br>Open Web Advocate<br><br><a href="http://factoryjoe.com">factoryjoe.com</a> // <a href="http://diso-project.org">diso-project.org</a> // <a href="http://openid.net">openid.net</a> // <a href="http://vidoop.com">vidoop.com</a><br>
This email is: [ ] bloggable [X] ask first [ ] private<br>
</div>