This seems like a decent solution s compared to alternatives presented so far in throughout discussion.
Folks who browse in an edge-to-edge maximized window will still be at least somewhat-to-quite vulnerable, especially if less tech-savvy or vision impaired. I generally don't browse this way, mostly due to the relatively insane* width of displays in general these days.
Would mobile users still be vulnerable? Due to:
1. Tiny screen dimensions.
2. No option for "window" resizing. It's not even a thing.
* OT: Displays today are wide to such an extreme they tend to be too wide for my needs and tastes. Eventually it's too much like staring at the bottom 1/5th of a full-sized 4k display, which work sent me but turns out is mostly good for watching Batman, The Matrix, and other ultra-wide theatrical film releases. Granted, at this task, a 34" 1440p widescreen excels marvelously.
Surely you've heard the joke (or is it an adage?):
"With that 34" display, it can [finally] render a Java Class Name and fit it within a single line. But after the IDE and debugger open, you can only see the one line.
- the login popup could integrate with your OS so depending on your options it could pre-fill the username and password or only the username, a faked one will be forced to guess your username.
- the fake stuff always failled for me, I am using Kubuntu and all those fake popups were using a XP theme.
- because some OSs don't give you the option to customize shit anymore , in this case they would make an exception and ask you to personalize the login popup, like ask you to use an avatar img from a big list that is sorted randomly and maybe a color, anyway Apple and Google have the money to pay someone to think more then 5 minutes about this so there could be even more solutions for this permissions popups.
>With that 34" display, it can [finally] render a Java Class Name and fit it within a single line. But after the IDE and debugger open, you can only see the one line.
Don't hate long names, hate bad names.
I found a bug in our project caused by such bad short names, a good,clear name is always clear then some missleading short one or a random short string.
I'm pretty sure I could be fooled by a really good fake HTTP Basic Authentication prompt. Yeah, technically the real one is distinguishable, but it seems like it would be easy not to notice.
Interesting, Firefox made it overlap very slightly with the browser chrome, which I'd never noticed before; is that, perhaps, specifically because of this issue?
The popups to give permissions are already being spoofed by pages. Fake Chrome permissions requests for notifications get around Chrome's detection of sites that request to send push notifications too aggressively. You can't stop this unless you physically take over the full screen for stuff like login, which is extremely disruptive.
You do the login in a native popup, similar on how you give say camera permissions.