W3C home > Mailing lists > Public > public-wsc-wg@w3.org > April 2007

RE: Available security information section clarification

From: Close, Tyler J. <tyler.close@hp.com>
Date: Tue, 10 Apr 2007 21:17:19 -0000
Message-ID: <08CA2245AFCF444DB3AC415E47CC40AF9A36D0@G3W0072.americas.hpqcorp.net>
To: <public-wsc-wg@w3.org>
Hi Mez,
 
The attack is against a page that includes security relevant information
rendered in white text against a background whose color is determined by
a linked CSS stylesheet. If the browser fails to fetch and apply the
stylesheet, the important text will be rendered as white text on a white
background. In this case, providing the user with some indication that
the page they are interacting with does not reflect the full intent of
the page author is important. For example, it might be wise to disable
form submission until the page has been completely rendered.
 
Tyler


________________________________

	From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of Mary Ellen Zurko
	Sent: Friday, April 06, 2007 6:51 AM
	To: Close, Tyler J.
	Cc: public-wsc-wg@w3.org
	Subject: Re: Available security information section
clarification
	
	

	Thanks. 
	
	> the "Provided by HTML" section into "Provided by web content".
I've also
	> added an entry to "Provided by user agent" for "Has the page
completed
	> rendering?" This last item comes out of the white text on a
white
	> background case that results from failing to fetch a
stylesheet.
	
	I'm unclear on the attack, and so confused by this explanation
of the motivation. When I think "Has the page completed rendering?" then
I think - it will eventually (unless some abrupt failure of some
component - server, network, client, user agent) occurs. But then, that
would mean that the stylesheet would eventually be fetched, and adhered
to. 
	
	Does that item instead mean "Has the page been completely
rendered?"?
	        Mez
	
	
Received on Tuesday, 10 April 2007 21:18:20 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:46 GMT