Coming quick on the heels of my last post comes an advisory from Secunia around address bar spoofing in Internet Explorer 7.0. This is pretty straight forward, just adding some %0A’s (hex for linebreaks) as padding in the URL in a popup window. It should be pretty trivial to fix, but I can never figure out why browsers allow the URL field to be removed at all. Suppression of URL fields should never be allowed unless the user permits it as a power user function.
That’s a few big holes in just a few days for the newest version of Internet Explorer. The score card isn’t looking so hot at this point. Anyone keeping score?