W3C home > Mailing lists > Public > public-wsc-wg@w3.org > December 2007

RE: ISSUE-131 (Code outside browser): Executing code outside of browser in 8.3.2.3 is vague / scary [All]

From: <michael.mccormick@wellsfargo.com>
Date: Thu, 20 Dec 2007 15:16:38 -0600
Message-ID: <9D471E876696BE4DA103E939AE64164DA3BD20@msgswbmnmsp17.wellsfargo.com>
To: <ifette@google.com>, <Mary_Ellen_Zurko@notesdev.ibm.com>
Cc: <public-wsc-wg@w3.org>
I like the 1st paragraph as is.
 
I share Ian's concerns about the 2nd paragraph, but rather than throw
the baby out with the bathwater I think it can be salvaged.  For
instance:
 
Web user agents MAY inform the user when web content attempts to execute
software outside of the agent environment, and MAY also request user
consent, but SHOULD NOT do so unconditionally for all types of content
or software.  If the agent chooses to do this then it SHOULD do it for
specific content types, software types, or security context based on
risk.

  _____  

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Ian Fette
Sent: Thursday, December 20, 2007 11:36 AM
To: Mary Ellen Zurko
Cc: public-wsc-wg@w3.org
Subject: Re: ISSUE-131 (Code outside browser): Executing code outside of
browser in 8.3.2.3 is vague / scary [All]


Hi Mez,

Thanks for your work to provide alternate text. I like your first
paragraph, the only thing I might change is to say that "web user agents
MAY (instead of SHOULD) inform the user when web content is
installing... that is covered by a pre-consent". I.e. I may be fine
allowing automatic installation of code signed by Microsoft, as happens
half of the time I visit windows update in my virtual machine. I don't
know that I really want to see notifications if I've already said this
is OK.  I don't think this is a major concern for me, it's just
something I'd like us to consider. 

The second paragraph though brings up the same concerns I had with the
original text. We're saying that when you browse to a PDF (or a page
with a PDF embedded, i.e. a frameset where one of the frames is a PDF,
or any other wacky embed tags that IE might support), I really don't
want to see "Acrobat Reader is launching in the background. Yes/No".
That, and the fact that the browser might have no idea. It just loads
the acroread plugin, and then the plugin can start issuing whatever
calls it wants, which may result in new processes ( i.e. AcroRd32.exe)
being launched outside the browser context. Thus, I worry that the 2nd
paragraph is going to be either annoying at best, impossible to
implement at worst. I would therefore say "keep paragraph 1, drop
paragraph 2" of your new text... 

-Ian


On Dec 20, 2007 9:20 AM, Mary Ellen Zurko
<Mary_Ellen_Zurko@notesdev.ibm.com> wrote:



	Well I could have sworn I typed in alternate text during our
meeting, but I can't find it in the minutes or the IRC log. I'll see if
I can recreate an alternate version that addresses the concerns. Some of
this may be too weak, or too strong, for some tastes, but it gets at the
original spirit will addressing the issues raised. btw, I don't think
just because something is not a current problem it should not be part of
a standard. Standards are often based on current best practice. That is
in fact a strong foundation to build a standard on. 
	
	
	Web user agents MUST inform the user and request consent when
web content attempts to install software outside of the browser
environment, using browser mechanisms and technology that are explicitly
provided for such installations. Web user agents SHOULD NOT provide
features which can be used by web content to install software outside of
the browser environment without the user's consent. Web user agents MAY
provide mechanisms for users to pre-consent to a class of software
installations. Web user agents SHOULD inform the user when web content
is installing software outside of the browser environment that is
covered by a pre-consent. 
	
	Web user agents SHOULD inform the user when web content attempts
to execute software outside of the browser environment. It MAY also
request user consent. 
	
	
	          Mez
	
	Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l
333-6389)
	Lotus/WPLC Security Strategy and Patent Innovation Architect
	
	
	
	
From:	 "Ian Fette" <ifette@google.com>	
To:	 michael.mccormick@wellsfargo.com	
Cc:	 public-wsc-wg@w3.org
Date:	 12/19/2007 08:08 PM	
Subject:	 Re: ISSUE-131 (Code outside browser): Executing code
outside of browser in 8.3.2.3 is vague / scary [All]	

  _____  




	As per our 12/12 meeting, I am proposing removing the third
bullet under 8.3.2 - "Web user agents MUST inform the user and request
consent when web content attempts to install or execute software outside
of the browser environment". There are many things that make this hard /
impossible to get right, and even harder to actually get the intended
effect without being totally annoying. 
	
	For instance, when you load a PDF, Acrobat Reader is launched
outside of the browser context. Yet I don't really want a dialog box
every time I browse to a PDF, I just want to see the PDF. Same thing
when I click on a mailto: link - it's going to get shell executed, and
software (my MUA) is going to run outside the browser. Or if there's an
embedded video that causes the windows mediaplayer plugin to do some
funky COM stuff outside of the browser - again, I really don't want
dialog boxes here. I understand the intent and think it's probably a
good one, but it's really hard to actually get it right in words, and I
think it's something that browsers are doing pretty well anyways. 
	
	I'm not going to rehash everything in this email, please see the
12/12 notes for a full review of the conversation (
http://www.w3.org/2007/12/12-wsc-minutes.html
<http://www.w3.org/2007/12/12-wsc-minutes.html> ). In that meeting, I
said I would email back on this issue and propose that the best way to
resolve it is to simply remove the bullet point, unless anyone feels
strongly about it. If you do feel strongly about it, then please come up
with some alternate text. 
	
	Thanks,
	Ian
	
	On Nov 6, 2007 8:36 AM, <michael.mccormick@wellsfargo.com
<mailto:michael.mccormick@wellsfargo.com> > wrote:
	
	The "install" part is very important, but the "execute" part is
a rabbit
	hole we probably don't want to go down.
	
	For example, when I point IE at a resource of MIME type ms/xls,
Excel
	launches outside the browser as a helper app.  It would be
annoying if I
	got constant warning messages every time I pull up a XLS, PDF,
etc.
	Constant warnings = ignored warnings.
	
	I do want to be warned when a page tries to install a plugin
like 
	Acroread, but not every time that plugin runs.  Same for
helpers, 
	toolbars, extensions, ActiveX controls, etc.
	
	-----Original Message-----
	From: public-wsc-wg-request@w3.org
<mailto:public-wsc-wg-request@w3.org>
[mailto:public-wsc-wg-request@w3.org
<mailto:public-wsc-wg-request@w3.org> ]
	On Behalf Of Web Security Context Working Group Issue Tracker 
	Sent: Tuesday, November 06, 2007 9:50 AM 
	To: public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org> 
	

	Subject: ISSUE-131 (Code outside browser): Executing code
outside of
	
	browser in 8.3.2.3 <http://8.3.2.3/> is vague / scary [All] 




	ISSUE-131 (Code outside browser): Executing code outside of
browser in
	
	8.3.2.3 <http://8.3.2.3/> is vague / scary [All]
	
	
	http://www.w3.org/2006/WSC/track/issues/
<http://www.w3.org/2006/WSC/track/issues/> 
	
	Raised by: Ian Fette
	On product: All
	
	
	8.3.2.3 <http://8.3.2.3/> says "Web user agents MUST inform the
user and request consent 

	when web content attempts to install or execute software outside
of the 
	browser environment."
	
	This is a bit vague and probably not what we intend. For
instance, when
	you navigate to a PDF on a browser using Acrobat Reader w/NPAPI
plugin, 
	what happens is that there is a plugin running in the browser,
and then
	Acrobat Reader launches in the browser, and there's a ton of IPC
between
	the plugin and Reader running in the background (which is doing
the 
	heavy lifting). This is executing software outside of the
browser
	environment, yet I don't think this is really what we were
intending to
	warn users about. At least, I will scream if I get a popup every
time I 
	navigate to a PDF. Seriously.
	
	
	
	
	
Received on Thursday, 20 December 2007 21:17:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:55 GMT