How can I convince my client that trying to hide the browser toolbar is a bad idea?
My client has a friend who is doing 'security testing,' and he's telling them that the PHP Zend Framework app I built for them needs to do these things on the browser side:
- hide location bar, toolbar, bookmarks, menu, and the back / forward button
- disable right-clicking
This is obviously a monumentally bad idea. I have pointed out that it hides the fact the site is 开发者_高级运维SSL-secured, that it is optional for browsers to honour these requests, and that real crackers will find a way around it anyway, since it is a client-side hack.
In addition to the badness of the idea, is it even possible? The basic tests I've done show this is only possible in ie before version 7, and not at all in Firefox, Safari, Chrome. The guy insists it is possible in these browsers, I'm still waiting for a proof of concept.
- Is it possible? Either in a pop-up or in the same window.
- Any leads for usability studies that reject this approach?
- Is there any support anywhere for this idea that is less than 5 years old?
Better, though: any really good demolishing of this idea, especially from any source that is a security authority?
My client trusts this guy so I have to find some non-emotive counter-arguments.
Thanks
Point out that
- Even if the back/forward buttons are gone, almost every GUI browser under the sun still has keyboard shortcuts that can't be removed, e.g. alt-leftarrow/alt-rightarrow for navigation, ctrl-d for bookmarking, etc...
- Most browsers have a "ignore disable right click" option in their settings. 2a. With the right click menu still available, it's trivial to get the url of the current page, and just copy/paste that into a normal non-gimped window and proceed as usual anyways.
Trying to achieve security by ramming "disabled" windows down peoples' throats is bad design. A good site wouldn't care if you had a file or bookmarks menu, nor would it care if back/forward were available. Removing them simply covers up for bad design decisions.
All he's doing is removing a hammer from the users' tookits, but the users still have lots of rocks lying around.
Not sure how much help this will provide, and I am assuming you have some sort of contract of what work will be provided. Simply refuse to do it. Walk away if you have to. If your client has a friend that is so set on performing such moronic tasks, let the client's friend do it and move on.
Sounds to me like you have come to a situation where you need to walk, or possibly fire your client.
Personally, I would even entertain the idea.
Good Luck!
I agree that it's a monumentally bad idea, mostly from a user interface perspective. By doing that, you're breaking an implicit user/application contract, which says the application should not interfere with the user's normal interface more than is necessary. In short, it will piss people off.
It should be quite easy to demolish the idea that this somehow adds security, simply by coming up with a few demonstrations of how you would circumvent it (see Marc B's answer).
Another point is that if it were a "best practice", you'd see a lot of people out there doing it. You don't, though, because it's not. Take some examples of institutions which have a solid security reputation (banks, DOD website, etc), and show that they don't need such things in order to be secure.
In Chrome it is possible, but only from a command line switch, not through javascript.
For example, say Chrome is installed to c:/chrome/chrome.exe, then you can launch your site using
c:/chrome/chrome.exe --app=http://mysite.com
This is useful for Internal Web App type applications, but not for general Web browsing.
As for practical convincing, also ask them to showcase their banks online accounting site. Then compare your security approach (https) to the one used by online banking systems (https). Should their bank use some form of address or status bar removal, then you can still adopt that approach. (There's only window.open
and that's quite restricted in current browser configurations.)
Windows users perceive security visually. Offer your advise, implement customer wishes as long as they are not detrimental, then walk away. Don't try to educate unconvincable cients.
Perhaps you can point out what Jakob Nielsen (P.H.d. in human computer interaction) has said about this in terms of usability:
Designers open new browser windows on the theory that it keeps users on their site. But even disregarding the user-hostile message implied in taking over the user's machine, the strategy is self-defeating since it disables the Back button which is the normal way users return to previous sites. Users often don't notice that a new window has opened, especially if they are using a small monitor where the windows are maximized to fill up the screen. So a user who tries to return to the origin will be confused by a grayed out Back button.
From: #9 in Top 10 Mistakes in Web Design
精彩评论