Re: [w3ctag/design-reviews] Modal window (#427) from hober on 2019-11-19 (public-webapps-github@w3.org from November 2019)

From: hober <notifications@github.com>
Date: Tue, 19 Nov 2019 15:22:34 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/427/555762035@github.com>

I'm concerned with your (apparent, implicit) design decision to populate native UI (the modal sheet) with arbitrary web content. My concern is similar to those expressed by [Marcos](https://github.com/mozilla/standards-positions/issues/23#issuecomment-372537251), [Nick](https://github.com/adrianhopebailie/modal-window/issues/5#issuecomment-550053989), and [Pete](https://github.com/w3ctag/design-reviews/issues/427#issuecomment-548957191). Let me try restating it.

Native UI for existing payment methods (e.g. the Apple Pay sheet in Safari) is difficult to spoof with web content, partly because the native sheet overlaps native browser UI and the web content. Adding a feature to the web which allows sites to populate something that looks like such a sheet with arbitrary web content makes it far easier for web sites to spoof such UI.

Given this concern, I don't think your [answer to question 11 of the security and privacy questionnaire](https://github.com/adrianhopebailie/modal-window/blob/master/explainer.md#security-self-assessment) is sufficient:

>> 11\. Does this specification allow an origin some measure of control over a user agent’s native UI?
>
> Yes, to some degree. It allows a website to create a new modal window context which makes the calling context inaccessible until the modal is closed. To mitigate abuse of this capability it is recommended that only a single modal can be open per parent context.

Nor is your [rationale for preferring your current proposal to pop-ups](https://github.com/adrianhopebailie/modal-window/blob/master/explainer.md#pop-upsnew-tabs):

> Pop-ups are generally locked down and difficult to invoke reliably due to the measures introduced by browsers to counter their abuse[…]
>
> Given their modal nature, we can’t yet think of a good way to abuse modal windows. The assumption being that only a single modal window will be allowed at a time.

In both of these cases, the "spam the user with modals" attack is considered, but the "spoof native UI for phising purposes" is not. In particular, some of "the measures introduced by browsers to counter their abuse" are to counter the use of pop-ups for phishing. Don't you anticipate browsers having to take similar measures for modal windows? If not, why not?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/427#issuecomment-555762035

Received on Tuesday, 19 November 2019 23:22:37 UTC