Comment 267 for bug 332945

Thomas, you bring up an important point. This behaviour is nothing a user would expect, and something he usually has links to malicious software, so how to know that it is ok.

However, as I have mentioned before, I think it is even more dangerous the other way round. People are trained to trust up pop-up window, and trust it so much as to enter their password. It seems so easy to me to exploit this training by putting up a website which opens a pop-up which looks just like the update-manager, but which installs some malicious software instead. And since the user is used to pop-up windows asking for his/her password, he/she will give it right away. And this is a pitfall which will not only be a danger to newbies and non-geeks, but basically to everyone who does not use a pop-up blocker for whatever reason. All these persons will always have to close the pop-up window and then open update manager manually, in order to confirm that it really is the right application which they are giving their password to. IMHO this constitutes a huge security leak, but I haven't seen anybody else commenting on it, so maybe there is a safeguard that the two of us don't see?