Rule n° 216 - The browser address bar display is not blocked.

<ul> <li>Limit the risk of usernames and passwords being intercepted,</li> <li>Limit domain spoofing,</li> <li>Strengthen online identification and trust. </li> </ul>

#Basics #Conception #Development #Security

Goal

Some websites display login forms in separate windows, without the browser address bar. These isolated windows, without the URL displayed, can be used to retrieve login credentials, without users having any way of knowing that they are not on the correct website (phishing). In general, it is always useful to know which website you are on.

Solution technique

Do not use popup opening techniques that hide the window's address bar. For example, window.open() with the options location="no," toolbar="no," fullscreen, or kiosk.

Moyen de contrôle

Check each open window to see if the browser address bar is visible.