The new EVE launcher opens a non-resizable popup window with no address bar. This is terrible practice and part of the cancer which makes OAuth insecure and susceptible to phishing.
- It is not possible to verify the URL of the login page
- It is not possible to verify the TLS certificate of the login page
- It is impossible to tell if the login page was opened by the EVE launcher or some phishing site.
- It is impossible to tell that the login page is a browser window or a popup opened by some malware.
To see a good example, look at how pyfa and most other third-party EVE apps do login. How could you possibly do it so wrong with your own client?
Ironically, when you click “Manage API permission” in the EVE launcher, the same app, it is done right! WTF?!