Using Contacts Control in a single page

Riaanvs wrote:

Great control guys, I think it's awesome. Would it be possible to host the control and relevant pop-up windows on a same page? Maybe with divs etc? Any such samples?

Hi Riaan,

As much as I'd love to get rid of the popup windows, it's highly unlikely that they will go away. The popup windows provide a critical element of identity verification to the end user about who is responsible for the information shown. Placing the confirmation display inside an element of the same page provides no indication of where that information comes from. It could be coming from Microsoft, but it could also be coming from evil.com in some sort of scam to trick the user into doing something other than what is indicated.

The browser popup window shows the URL of the page, giving the end user an opportunity to validate that the page that claims to be speaking for Microsoft is actually hosted on a Microsoft domain. These elements of the popup browser window are much more difficult to spoof than text or images in a div tag.

The biggest threat is to the login step. If we just put a username + password prompt in the contacts control itself, there is a great risk that evil.com could mimic that UI to trick unsuspecting visitors into giving evil.com their login credentials. That would be bad. Instead, we bring up the live.com login UI in a separate window so that the user can see the URL, see the SSL lock icon, and so forth before handing over their credentials.

If all the pieces came from the same domain, then this wouldn't be an issue. The trust boundary would be the domain name, end of story. But when you're using services and UI elements from multiple domains that have no trust relationship, it's important for the end user to understand where the trust boundaries are so that they can make informed decisions about how their data will be used.

The contacts control is a first step into this world of cross-domain web components. We have some ideas on how to reduce the friction between pieces and make the end user experience more seamless, without compromising trust or privacy. Stay tuned.

-Danny

DannyThorpeMSFT at 2007-9-3 >