浏览器窗口的弹出窗口 - 风险和特殊功能 [英] Browser window popups - risks and special features

问题描述

1。究竟什么是与弹出的安​​全风险？结果
新的浏览器提供的设置来阻止弹出窗口（阻断，活跃站点的弹出窗口显示消息到用户）。究竟什么是与弹出的安​​全风险？如果允许弹出窗口可以执行一些危险的，那么主窗口也可以。难道不是这样的。我想我不知道窗口弹出的一些特殊权力。

1. What exactly is the security risk with popups?
The new browsers provide settings to block window popups (on blocking, sites with active popups display a message to user). What exactly is the security risk with popups? If allowing popups can execute something dangerous, then the main window can too. Is it not the case. I think I don't know about some special powers of window popups.

2。弹出窗口的任何特殊功能？结果
就拿例如 HDFC银行网路银行网站。整个网路银行会发生在一个新的窗口弹出，并且用户没有手动编辑URL或粘贴在主浏览器窗口的URL。这是行不通的。是需要此功能的弹出窗口？是否提高安全性？ （问，因为一切是有在这个网站围绕安全 - 所以他们必须这样做，是有原因的太）。为什么否则他们将实现一个弹出窗口上的整个网路银行？

2. Any special features of popup windows?
Take for example the HDFC bank netbanking site. The entire netbanking session happens in a new window popup and a user neither manually edit the URL or paste the URL in the main browser window. it does not work. Is a popup window needed for this feature? Does it improve security? (Asking because everything that is there in this site revolves around security - so they must have done that for a reason too). Why otherwise they would implement the entire netbanking on a popup window?

3。是否有可能重写浏览器的弹出窗口阻止设置结果
最后，HDFC网站succcessfully弹出显示，即使在浏览器设置弹出窗口被阻止的窗口。那么，他们怎么办呢？那是一个浏览器破解？结果
要看到这一点 -

3. Is it possible to override browser's popup blocking settings
Lastly, the HDFC site succcessfully displays popup window even when in the browser settings popups are blocked. So, how do they do it? Is that a browser hack?
To see this -

• 去 http://hdfcbank.com/


• 登录到您的帐户部分下选择HDFC银行NetBanking时，并点击登录按钮。

您可以验证，即使弹出窗口被阻止/弹出窗口拦截器在浏览器设置中启用，这个网站能够显示弹出窗口。

You can verify that even if popups are blocked/popup blocker is enabled in the browser settings, this site is able to display popups.

答案<一个href=\"http://stackoverflow.com/questions/2551534/bypassing-browser-popup-blocking-when-automatic-session-timout-occurs\">this问题说，这是不可能的，如果它已经被挡在浏览器设置来显示弹出式窗口。

The answers to this question say that it is not possible to display popup windows if it has been blocked in browser settings.

解决结果
用尖尖的解决方案和意见根据该结论是：

Solved
Concluded with Pointy's solution and comments under that:

<a onclick="displayPopup();" href="#">
   Click here for a popup - this will appear even if popups are blocked in browser settings.
</a>

下面是一个小提琴展示了相同的。

Here is a fiddle demonstrating the same.

推荐答案

从弹出窗口的安全风险是：

The "security" risks from popup windows are:

• 弹出窗口是一个显着的网络钓鱼技术。敌对站点可以使用弹出窗口，以说服用户从一个重​​要消息的受信任的网站已被交付，诱骗那些人去点击，通过一些恶意软件URL（甚至只是点击本身可能利用一个bug ）。是的，该网站的主页可以做到这一点，而是一个精心设计的弹出可以分散用户，并不得与敌对的主网页直接相关。

• Popup windows are a notable "phishing" technique. Hostile sites can use popups to convince users that an important message from a trusted site has been delivered, and trick those people into clicking through to some malware URL (or perhaps even just the click itself might exploit a bug). Yes, the main page of the site could do that too, but a well-crafted popup can distract the user and may not be directly associated with the hostile main page.

弹出窗口被许多令人讨厌的网站利用作为一种陷阱用户基本上强制广告IM pressions等。在这方面，问题的安全性方面确实是的安全性用户在自己的电脑控制和他们的浏览欲望。

Popups were exploited by many unsavory sites as a way to "trap" users and to essentially force ad impressions, etc. In this respect, the security aspect of the problem really is the security of the user's control over their own computer and their browsing desires.

现代浏览器将的允许的弹出窗口时，他们通过明确的用户操作触发一个事件循环启动。因此，这是完全正常（忽略网页设计的最佳实践），在一个单独的窗口中打开一个东西帮助一节像你的网站，如果当用户点击一个出现这种情况帮帮我！按钮。此外，它已经成为很常见的网站在页面倒霉蛋游人面前使用假窗来堵塞的内容和浏览器真的不能做任何事情来制止。

Modern browsers will allow popups when they're launched from an event loop triggered by an explicit user action. Thus, it's perfectly OK (ignoring web design best practices) to open up something like a "Help" section for your website in a separate window if that happens when the user clicks a "Help Me!" button. Also, it's become quite common for sites to use in-page "pseudo windows" to jam content in front of hapless visitors, and browsers really can't do anything to stop that.

的修改的＆MDASH;至于你的其他点：

edit — as to your other points:

为什么网站把自己的Web应用程序之类的银行到单独的弹出窗口？的

Why do sites put their "web applications" like banking into separate pop-up windows?

我认为使用单独的浏览器窗口大多数网站（银行，保险公司和其他金融机构似乎真的很喜欢这个）可能做到这一点，使他们可以尽量控制自己的应用程序的浏览器的环绕声。特别是，他们似乎很喜欢摆脱返回按钮，以此来简化他们的设计理念。一个浏览器窗口是浏览器窗口，但是，一个窗口， window.open（）是不是真的多从任何其他浏览器窗口不同。

I think that most sites that use separate browser windows (banks, insurance companies, and other financial institutions seem to really love this) probably do it so that they can try to control the browser "surround" of their application. In particular, they seem to like the idea of getting rid of the "Back" button as a way to simplify their designs. A browser window is a browser window, however, and a window created with window.open() isn't really much different from any other browser window.

能弹出窗口拦截器设置所覆盖？的

Can popup blocker settings be overridden?

没有。这HDFC银行的例子就是一个很好的一个。他们的弹出窗口出现的仅当你点击登录按钮。因为点击是一个明确的用户启动的操作（不像，说，页面加载），浏览器将允许弹出窗口。那将是任何网站的真实;银行没有做什么特别对于工作。您通常可以做到从点击事件处理程序弹出窗口，但你不能像从XHR状态改变处理器推出一个弹出窗口。

No. That HDFC bank example is a good one. Their popup window comes up only when you click on the "Login" button. Because that "click" is an explicit user-initiated action (unlike, say, page load), the browser will allow a popup window. That'll be true for any site; the bank doesn't have to do anything special for that to work. You can generally do popups from "click" event handlers, but you cannot launch a popup from something like a state change handler from an XHR.

这篇关于浏览器窗口的弹出窗口 - 风险和特殊功能的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！