norwegian across all domains?

Although I'd like to see a certain Norwegian browser crossing borders and domains to make progress all over the world, I'm not at all pleased when the scripting authors that made the website of the new "Norwegian" airline try to show us the way with cross-domain scripting.

<> is quite an exciting new low-cost airline which might become very important in my little corner of the world.. but they'd have to fix their website. If you do a search, it loads a list of departures from in a subframe of a frameset that is located on Then, JavaScripts from wants to update other frames with prices and details.

Why doesn't your trusty browser want to allow this? After all, the webmaster implicitly chooses to trust by displaying that site prominently in the frameset?

Well, consider this: can not actually reliably know that it IS loaded inside's frames. (It could make a few checks but I'll bet they don't do that.) So if I wanted to spoof the site for a phishing attach or something, I would just have to duplicate the frameset itself and write some duplicate JavaScript functions of my own to receive the information. That is incredibly little work for a phisher – and it would make a fake site with live, real airline data!.

Humans are lazy. webmasters want browsers to forget all about security when it is convenient for them. Which is why it is hard to create a secure browser.

One thought on “norwegian across all domains?

  1. Glad to report that Norwegian has updated the site and gotten rid of the frameset completely. Much, much better – kudos to the webmaster for getting rid of some of the least responsible JavaScripting I've seen for a while 🙂

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s