- From: Close, Tyler J. <tyler.close@hp.com>
- Date: Tue, 10 Apr 2007 21:17:19 -0000
- To: <public-wsc-wg@w3.org>
- Message-ID: <08CA2245AFCF444DB3AC415E47CC40AF9A36D0@G3W0072.americas.hpqcorp.net>
Hi Mez, The attack is against a page that includes security relevant information rendered in white text against a background whose color is determined by a linked CSS stylesheet. If the browser fails to fetch and apply the stylesheet, the important text will be rendered as white text on a white background. In this case, providing the user with some indication that the page they are interacting with does not reflect the full intent of the page author is important. For example, it might be wise to disable form submission until the page has been completely rendered. Tyler ________________________________ From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Mary Ellen Zurko Sent: Friday, April 06, 2007 6:51 AM To: Close, Tyler J. Cc: public-wsc-wg@w3.org Subject: Re: Available security information section clarification Thanks. > the "Provided by HTML" section into "Provided by web content". I've also > added an entry to "Provided by user agent" for "Has the page completed > rendering?" This last item comes out of the white text on a white > background case that results from failing to fetch a stylesheet. I'm unclear on the attack, and so confused by this explanation of the motivation. When I think "Has the page completed rendering?" then I think - it will eventually (unless some abrupt failure of some component - server, network, client, user agent) occurs. But then, that would mean that the stylesheet would eventually be fetched, and adhered to. Does that item instead mean "Has the page been completely rendered?"? Mez
Received on Tuesday, 10 April 2007 21:18:20 UTC