norwegian across all domains?

Although I'd like to see a certain Norwegian browser crossing borders and domains to make progress all over the world, I'm not at all pleased when the scripting authors that made the website of the new "Norwegian" airline try to show us the way with cross-domain scripting.

<http://www.norwegian.no/> is quite an exciting new low-cost airline which might become very important in my little corner of the world.. but they'd have to fix their website. If you do a search, it loads a list of departures from http://www.amadeus.net in a subframe of a frameset that is located on http://www.norwegian.no. Then, JavaScripts from amadeus.net wants to update other frames with prices and details.

Why doesn't your trusty browser want to allow this? After all, the Norwegian.no webmaster implicitly chooses to trust amadeus.net by displaying that site prominently in the frameset?

Well, consider this: amadeus.net can not actually reliably know that it IS loaded inside norwegian.no's frames. (It could make a few checks but I'll bet they don't do that.) So if I wanted to spoof the norwegian.no site for a phishing attach or something, I would just have to duplicate the frameset itself and write some duplicate JavaScript functions of my own to receive the information. That is incredibly little work for a phisher – and it would make a fake site with live, real airline data!.

Humans are lazy. webmasters want browsers to forget all about security when it is convenient for them. Which is why it is hard to create a secure browser.

Advertisements

One thought on “norwegian across all domains?

  1. Glad to report that Norwegian has updated the site and gotten rid of the frameset completely. Much, much better – kudos to the webmaster for getting rid of some of the least responsible JavaScripting I've seen for a while 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s