W3C home > Mailing lists > Public > public-wsc-wg@w3.org > April 2007

RE: Available security information section clarification

From: Close, Tyler J. <tyler.close@hp.com>
Date: Tue, 10 Apr 2007 21:17:19 -0000
Message-ID: <08CA2245AFCF444DB3AC415E47CC40AF9A36D0@G3W0072.americas.hpqcorp.net>
To: <public-wsc-wg@w3.org>
Hi Mez,
The attack is against a page that includes security relevant information
rendered in white text against a background whose color is determined by
a linked CSS stylesheet. If the browser fails to fetch and apply the
stylesheet, the important text will be rendered as white text on a white
background. In this case, providing the user with some indication that
the page they are interacting with does not reflect the full intent of
the page author is important. For example, it might be wise to disable
form submission until the page has been completely rendered.


	From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of Mary Ellen Zurko
	Sent: Friday, April 06, 2007 6:51 AM
	To: Close, Tyler J.
	Cc: public-wsc-wg@w3.org
	Subject: Re: Available security information section

	> the "Provided by HTML" section into "Provided by web content".
I've also
	> added an entry to "Provided by user agent" for "Has the page
	> rendering?" This last item comes out of the white text on a
	> background case that results from failing to fetch a
	I'm unclear on the attack, and so confused by this explanation
of the motivation. When I think "Has the page completed rendering?" then
I think - it will eventually (unless some abrupt failure of some
component - server, network, client, user agent) occurs. But then, that
would mean that the stylesheet would eventually be fetched, and adhered
	Does that item instead mean "Has the page been completely
Received on Tuesday, 10 April 2007 21:18:20 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:15 UTC