Picto thématique

Rule n° 216 - The browser address bar display is not blocked.

<ul> <li>Limit the risk of usernames and passwords being intercepted,</li> <li>Limit domain spoofing,</li> <li>Strengthen online identification and trust. </li> </ul>

#Conception #Development #Security

Goal

Some websites display login forms in separate windows, without the browser address bar. These isolated windows, without the URL displayed, can be used to retrieve login credentials, without users having any way of knowing that they are not on the correct website (phishing). In general, it is always useful to know which website you are on.

Implementation

Do not use popup opening techniques that hide the window's address bar. For example, window.open() with the options location="no," toolbar="no," fullscreen, or kiosk.

Control

Check each open window to see if the browser address bar is visible.

By Opquast - Read the license


Discover Opquast training and certification

The objective of these rules and the Opquast community mission is ‘making the web better’ for your customers and for everyone! Opquast rules cover the key major areas of risk that can negatively affect website users such as privacy, ecodesign, accessibility and security.

Opquast training has already allowed over 19,000 web professionals to have their skills certified. Train your teams, contact us

We offer a 1 hour free discovery module.