W3C home > Mailing lists > Public > public-usable-authentication@w3.org > October 2009

Re: Re: Request for Reviewers: Section 7.4 of Web Security Context: User Interface Guidelines; deadline Sep 24 ( LC-2255)

From: <mzurko@us.ibm.com>
Date: Fri, 23 Oct 2009 20:33:45 +0000
To: Adam Barth <w3c@adambarth.com>
Cc: public-usable-authentication@w3.org,public-webapps <public-webapps@w3.org>, Thomas Roessler <tlr@w3.org>, Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>, public-usable-authentication@w3.org
Message-Id: <E1N1QpV-0003NR-R4@wiggum.w3.org>

 Dear Adam Barth ,

The Web Security Context Working Group has reviewed the comments you sent
[1] on the Last Call Working Draft [2] of the Web Security Context: User
Interface Guidelines published on 26 Feb 2009. Thank you for having taken
the time to review the document and to send us comments!

The Working Group's response to your comment is included below.

Please review it carefully and let us know by email at
public-usable-authentication@w3.org if you agree with it or not before 30
October 2009. In case of disagreement, you are requested to provide a
specific solution for or a path to a consensus with the Working Group. If
such a consensus cannot be achieved, you will be given the opportunity to
raise a formal objection which will then be reviewed by the Director during
the transition of this document to the next stage in the W3C Recommendation
Track.

Thanks,

For the Web Security Context Working Group,
Thomas Roessler
W3C Staff Contact

 1.
http://www.w3.org/mid/7789133a0909182312s5119eafhffa1c80629648f49@mail.gmail.com
 2. http://www.w3.org/TR/2009/WD-wsc-ui-20090226/


=====

Your comment on :
> Comments below.
> 
> > Web user agents MUST prevent web content from obscuring, hiding, or
> disabling security user interfaces.
> 
> This is impossible in a multi-window web user agent in an overlapping
> window manager (e.g., every major browser on every major
> general-purpose operating system).
> 
> > Web user agents MUST NOT allow web content to open new windows with
> the browser's security UI hidden.
> 
> This precludes innovative solutions to the full-screen video problem,
> like Flash's disabling of the keyboard to prevent password theft.
> 
> > Web user agents MUST prevent web content from overlaying chrome. User
> interactions that are perceived to deal with browser chrome must not be
> detectable for Web content.
> 
> This is generally not the case for keyboard user interactions.  In
> typical user agents, keyboard events are sent to the content area
> before being processed by browser chrome.
> 
> > Web user agents MUST NOT expose programming interfaces which permit
> installation of software without a user intervention.
> 
> What does it mean to install software?
> 
> > Web user agents MUST inform the user and request consent when web
> content attempts to install software outside of the browser
> environment.
> 
> Why can't the user agent simply ignore these attempts?
> 
> > Web user agents MAY inform the user when web content attempts to
> execute software outside of the agent environment.
> 
> What is the agent environment?  For example, does follow a mailto link
> fall under this requirement given that seems to execute the user's
> default mail software outside the user agents environment
> 
> > Web user agents MUST NOT expose programmatic interfaces that allow
> bookmarking without explicit user consent.
> 
> Should the user agent not expose the API without consent, or should
> the API not allow bookmarking without consent?
> 
> > Web user agents MUST NOT expose programmatic interfaces that allow
> bookmarking an URL that does not match the URL of the page that the user
> currently interacts with.
> 
> Why not?
> 
> On a more general note, what do you mean by expose a programmatic
> interface?  Does that cover browser extension APIs?  Those are
> certainly programatic interfaces exposed by the user agent.  Pushing
> in another direction, what if the user agent exposed that
> functionality via an HTML tag.  Would that be a *programmatic*
> interface?
> 
> > Web user agents which offer this restriction SHOULD offer a way to
> extend permission to individual trusted sites. Failing to do so
> encourages users who desire the functionality on certain sites to
> disable the feature universally.
> 
> What if the user agent doesn't expose a user interface to disable the
> feature universally?
> 
> Adam
> 
> 
> On Thu, Sep 17, 2009 at 11:06 AM, Arthur Barstow
> <art.barstow@nokia.com> wrote:
> > The title of the spec is actually "Web Security Context: User
> Interface
> > Guidelines":
> >
> >  http://www.w3.org/TR/wsc-ui/#robustness-api
> >
> > On Sep 17, 2009, at 1:57 PM, Barstow Art (Nokia-CIC/Boston) wrote:
> >
> >> All,
> >>
> >> The Web Security Context Working Group asked WebApps to review
> >> Section 7.4 of their Web Security Context Working Group spec:
> >>
> >>  <http://www.w3.org/TR/wsc-ui/#robustness-apis>
> >>
> >> If you have any comments, please send to the following list by
> >> September 24 at the latest:
> >>
> >>  public-usable-authentication@w3.org
> >>
> >> -Regards, Art Barstow
> >>
> >>
> >>
> >
> >
> >


Working Group Resolution (LC-2255):
Thank you for your review.

We're not talking about pop ups in the context of "MUST prevent web
content from obscuring, hiding, or disabling security user interfaces."

Innovative full screen solutions are covered in the interaction between
section 6.1.1 and section 7.1. Section 7.1 says the user agent cannot open
windows without security chrome, however section 6.1.1 specifically allows
for this when going into "presentation mode". The Flash behavior described
falls into this category.

The wording on "overlaying chrome" was confusing, as you were explaining
the exact cause for that text. We've attempted to make it clearer. 

Installing software means downloading it for later execution. 

The requirement to notify the user is if the user agent is going to do the
install and not just ignore the attempt. 

Since the third paragraph of 7.4.2 ("attempts to execute software outside
of the agent environment") was (only) a MAY, and causing some confusion, we
have removed it. 

The user consent is required for the action of bookmarking, not the
browser making the APIs available. 

User agents often include features that enable Web content to update the
user's bookmark file, e.g. through a JavaScript API. If permitted
unchecked, these features can serve to confuse users by, e.g., placing a
bookmark that goes by the same name as the user's bank, but points to an
attacker's site.

We are changing 7.4.3 to:
> User agents often include features that enable Web content to update  
> the user's bookmark file, e.g. through a JavaScript API. If  
> permitted unchecked, these features can serve to confuse users by,  
> e.g., placing a bookmark that goes by the same name as the user's  
> bank, but points to an attacker's site.
>
> Web user agents MUST NOT permit Web content to add bookmarks without  
> explicit user consent.
>
> Web user agents MUST NOT permit Web content to add URIs to the  
> user's bookmark collection that do not match the URI of the page  
> that the user currently interacts with.
>


Browser vendor experience indicates that if the user agent provides
annoying seemingly useless dialogs and do not provide the user with a way
to disable them universally, users switch to another browser. 

----
Received on Friday, 23 October 2009 20:33:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 23 October 2009 20:33:55 GMT