2 Matching Annotations
- Feb 2021
If you teach your users to trust that URL bar is supposed to not change when they click links (e.g. your site uses a big iframe with all the actual content), then the users will not notice anything in the future either in case of actual security vulnerability.
- detecting security exploits
- easy to miss / not notice (attention)
- just because you don’t see/notice it, doesn’t mean it’s not happening
- unintended consequence
The point is, just because you don’t see it, doesn’t mean it’s not happening. It’s been more than two years and as far as I know, no one has ever noticed one of my requests. Maybe it’s been in your site this whole time