Forum Discussion
Improving notifications and badging in Microsoft Edge
Very excited and happy to see these features.
It would be nice to support notification when side PIN to start menu in Windows 10 too. I also interested in case PIN website to start menu would also support live title (I believe there is need to write some API for it).
While this is good feature, there are risk of abuse this feature by malicious websites. For example, you might notice websites like they are asking users where you WIN LOTTERY or ask them to download malicious programs and when user want to navigate away they show message like do you want to close this page? I believe there should be some sort of control over notification like limit them and user have ability to set limitation for them and also reporting and blocking this feature in case websites abuse it like sending multiple unwanted notifications.
- HotCakeXNov 12, 2020MVPSpoiler
Reza_Ameri-Archived wrote:Very excited and happy to see these features.
It would be nice to support notification when side PIN to start menu in Windows 10 too. I also interested in case PIN website to start menu would also support live title (I believe there is need to write some API for it).
While this is good feature, there are risk of abuse this feature by malicious websites. For example, you might notice websites like they are asking users where you WIN LOTTERY or ask them to download malicious programs and when user want to navigate away they show message like do you want to close this page? I believe there should be some sort of control over notification like limit them and user have ability to set limitation for them and also reporting and blocking this feature in case websites abuse it like sending multiple unwanted notifications.
Notifications and badges are separate things.
Edge handles notifications very good, using quiet notifications feature. there is no more spam of notification requests.
and as the article says about badging:
"because they don't interrupt the user, they don't need the user's permission."
so no interruption, no malicious activity. if a website is malicious, Edge already knows how to handle them. this badging feature comes after the Edge's already-in-place defense against malicious websites.
- if websites spam user by showing messages when user tries to close the page, there is a checkbox to select to stop website from showing any more of those messages.
- if website is malicious, Edge uses built in security tools to mitigate them. take a look at them in: edge://settings/privacy
- websites can't automatically show badges on the taskbar, user must intentionally go to the settings and Pin that website on the taskbar. so, prior to that decision, some sort of trust must have happened between user and the website.
- even after user deliberately Pins a website to the taskbar and then that website decides to be malicious, all they can do is to show a small tiny number in the taskbar. if user, at any time, feels it's an unwanted behavior, they can go ahead and unpin that website's icon from the taskbar via a simple right-click.
when I review the JavaScript code for Bading API, I don't see how malicious payloads can be sent through it. if you do, mention the exact part of the code here.
- Reza_Ameri-ArchivedNov 13, 2020Bronze Contributor
I am aware of all these features, my point is with social engineering spammers and bad guys would be able to convince user to take actions like add to pin and so on.
When I see any malicious website, I will report them in SmartScreen filter but many users might not do that and they fall into trap.
I am sure Microsoft Edge teams take some steps to mitigate it, but this is just reminder to make sure they are aware of every aspect of it.
- HotCakeXNov 13, 2020MVPSpoiler
Reza_Ameri-Archived wrote:I am aware of all these features, my point is with social engineering spammers and bad guys would be able to convince user to take actions like add to pin and so on.
When I see any malicious website, I will report them in SmartScreen filter but many users might not do that and they fall into trap.
I am sure Microsoft Edge teams take some steps to mitigate it, but this is just reminder to make sure they are aware of every aspect of it.
Websites convincing users to do something is not a good reason. people can be convinced by countless ways in their every day lives.
Reporting malicious websites doesn't need to be done by every single person, even 1 person reporting it, it will be registered into the system (more than 1 report is better obviously).
so there is nothing to worry about, this doesn't pose any threats to the end user more than they are already prone to in their every day lives.
plus, like I said, the Javascript code doesn't allow malicious payload to come to users' computer. so even if a user, willingly or be convinced to, pin a website to the taskbar, nothing malicious can be done. user sees there are ridiculous amount of notifications displayed on the taskbar, they will just Unpin it.
this is all well thought about.
Always remember, PEBKAC (Problem Exists Between Keyboard And Chair)