W3C home > Mailing lists > Public > public-wsc-wg@w3.org > April 2007

Re: Available security information section clarification

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 11 Apr 2007 14:20:25 +0200
To: "Close, Tyler J." <tyler.close@hp.com>
Cc: public-wsc-wg@w3.org
Message-ID: <20070411122025.GR26349@raktajino.does-not-exist.org>

On 2007-04-10 20:25:33 -0000, Close, Tyler J. wrote:

> I think there is a semantic difference between the user agent
> applying a set of user-specific stylesheets and the user agent
> inventing its own page style based of failure to fetch specified
> stylesheets. The latter scenario is a plausible attack vector for
> phishing. I think an indicator that communicates that the current
> rendering does not reflect the will of either the user or the
> page designer could be valuable.

I'd submit that this would likely be undecidable.

Consider that Web Content might include scripting that might do
whatever unintended things based on the fact that the client runs on
an unintended platform. How do you determine if that leads to the
intended rendering?

Consider different levels of CSS conformance.

Consider different levels of HTML conformance.

Consider all kinds of constraints both on the user agent and in the
network that might influence the rendering.

I'd also argue it's useless and troublesome from a web architecture
point of view, since part of the strength of that architecture is
the notion that there is a separation of presentation and content.
That implies that different presentations of the same content are
essentially deemed appropriate (indeed, they are often necessary).

The difference that you really want to determine is the one between
the content communicated to the user by the current presentation and
the content that was intended to be communicated.

I don't think we can tackle that by way of an indicator.

However, I'm wondering if there's value to a robustness mechanism
that disables some of the factors that make a "this is what's
intended" indicator so troublesome -- scripting in particular?

-- 
Thomas Roessler, W3C  <tlr@w3.org>
Received on Wednesday, 11 April 2007 12:20:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:46 GMT