W3C home > Mailing lists > Public > public-wsc-wg@w3.org > December 2007

Re: ISSUE-131 (Code outside browser): Executing code outside of browser in 8.3.2.3 is vague / scary [All]

From: Ian Fette <ifette@google.com>
Date: Thu, 20 Dec 2007 14:22:53 -0800
Message-ID: <bbeaa26f0712201422v4dc64d5dy83235d32cb0c619c@mail.gmail.com>
To: michael.mccormick@wellsfargo.com
Cc: Mary_Ellen_Zurko@notesdev.ibm.com, public-wsc-wg@w3.org
I like Mike's text.

On Dec 20, 2007 1:16 PM, <michael.mccormick@wellsfargo.com> wrote:

>  I like the 1st paragraph as is.
>
> I share Ian's concerns about the 2nd paragraph, but rather than throw the
> baby out with the bathwater I think it can be salvaged.  For instance:
>
> Web user agents MAY inform the user when web content attempts to execute
> software outside of the agent environment, and MAY also request user
> consent, but SHOULD NOT do so unconditionally for all types of content or
> software.  If the agent chooses to do this then it SHOULD do it for specific
> content types, software types, or security context based on risk.
>
>  ------------------------------
> *From:* public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
> *On Behalf Of *Ian Fette
> *Sent:* Thursday, December 20, 2007 11:36 AM
> *To:* Mary Ellen Zurko
> *Cc:* public-wsc-wg@w3.org
> *Subject:* Re: ISSUE-131 (Code outside browser): Executing code outside of
> browser in 8.3.2.3 is vague / scary [All]
>
> Hi Mez,
>
> Thanks for your work to provide alternate text. I like your first
> paragraph, the only thing I might change is to say that "web user agents MAY
> (instead of SHOULD) inform the user when web content is installing... that
> is covered by a pre-consent". I.e. I may be fine allowing automatic
> installation of code signed by Microsoft, as happens half of the time I
> visit windows update in my virtual machine. I don't know that I really want
> to see notifications if I've already said this is OK.  I don't think this is
> a major concern for me, it's just something I'd like us to consider.
>
> The second paragraph though brings up the same concerns I had with the
> original text. We're saying that when you browse to a PDF (or a page with a
> PDF embedded, i.e. a frameset where one of the frames is a PDF, or any
> other wacky embed tags that IE might support), I really don't want to see
> "Acrobat Reader is launching in the background. Yes/No". That, and the fact
> that the browser might have no idea. It just loads the acroread plugin, and
> then the plugin can start issuing whatever calls it wants, which may result
> in new processes ( i.e. AcroRd32.exe) being launched outside the browser
> context. Thus, I worry that the 2nd paragraph is going to be either annoying
> at best, impossible to implement at worst. I would therefore say "keep
> paragraph 1, drop paragraph 2" of your new text...
>
> -Ian
>
> On Dec 20, 2007 9:20 AM, Mary Ellen Zurko <
> Mary_Ellen_Zurko@notesdev.ibm.com> wrote:
>
> >
> > Well I could have sworn I typed in alternate text during our meeting,
> > but I can't find it in the minutes or the IRC log. I'll see if I can
> > recreate an alternate version that addresses the concerns. Some of this may
> > be too weak, or too strong, for some tastes, but it gets at the original
> > spirit will addressing the issues raised. btw, I don't think just because
> > something is not a current problem it should not be part of a standard.
> > Standards are often based on current best practice. That is in fact a strong
> > foundation to build a standard on.
> >
> >
> > Web user agents MUST inform the user and request consent when web
> > content attempts to install software outside of the browser environment,
> > using browser mechanisms and technology that are explicitly provided for
> > such installations. Web user agents SHOULD NOT provide features which can be
> > used by web content to install software outside of the browser environment
> > without the user's consent. Web user agents MAY provide mechanisms for users
> > to pre-consent to a class of software installations. Web user agents SHOULD
> > inform the user when web content is installing software outside of the
> > browser environment that is covered by a pre-consent.
> >
> > Web user agents SHOULD inform the user when web content attempts to
> > execute software outside of the browser environment. It MAY also request
> > user consent.
> >
> >
> >           Mez
> >
> > Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
> > Lotus/WPLC Security Strategy and Patent Innovation Architect
> >
> >
> >
> >   From: "Ian Fette" <ifette@google.com> To:
> > michael.mccormick@wellsfargo.com Cc: public-wsc-wg@w3.org
> >  Date: 12/19/2007 08:08 PM Subject: Re: ISSUE-131 (Code outside
> > browser): Executing code outside of browser in 8.3.2.3 is vague / scary
> > [All]
> > ------------------------------
> >
> >
> >
> > As per our 12/12 meeting, I am proposing removing the third bullet under
> > 8.3.2 - "Web user agents MUST inform the user and request consent when
> > web content attempts to install or execute software outside of the browser
> > environment". There are many things that make this hard / impossible to get
> > right, and even harder to actually get the intended effect without being
> > totally annoying.
> >
> > For instance, when you load a PDF, Acrobat Reader is launched outside of
> > the browser context. Yet I don't really want a dialog box every time I
> > browse to a PDF, I just want to see the PDF. Same thing when I click on a
> > mailto: link - it's going to get shell executed, and software (my MUA) is
> > going to run outside the browser. Or if there's an embedded video that
> > causes the windows mediaplayer plugin to do some funky COM stuff outside of
> > the browser - again, I really don't want dialog boxes here. I understand the
> > intent and think it's probably a good one, but it's really hard to actually
> > get it right in words, and I think it's something that browsers are doing
> > pretty well anyways.
> >
> > I'm not going to rehash everything in this email, please see the 12/12
> > notes for a full review of the conversation ( *http://www.w3.org/2007/12/12-wsc-minutes.html
> > * <http://www.w3.org/2007/12/12-wsc-minutes.html>). In that meeting, I
> > said I would email back on this issue and propose that the best way to
> > resolve it is to simply remove the bullet point, unless anyone feels
> > strongly about it. If you do feel strongly about it, then please come up
> > with some alternate text.
> >
> > Thanks,
> > Ian
> >
> > On Nov 6, 2007 8:36 AM, <*michael.mccormick@wellsfargo.com*
> > <michael.mccormick@wellsfargo.com>> wrote:
> >
> > The "install" part is very important, but the "execute" part is a rabbit
> > hole we probably don't want to go down.
> >
> > For example, when I point IE at a resource of MIME type ms/xls, Excel
> > launches outside the browser as a helper app.  It would be annoying if I
> > got constant warning messages every time I pull up a XLS, PDF, etc.
> > Constant warnings = ignored warnings.
> >
> > I do want to be warned when a page tries to install a plugin like
> > Acroread, but not every time that plugin runs.  Same for helpers,
> > toolbars, extensions, ActiveX controls, etc.
> >
> > -----Original Message-----
> > From: *public-wsc-wg-request@w3.org * <public-wsc-wg-request@w3.org>
> > [mailto:*public-wsc-wg-request@w3.org* <public-wsc-wg-request@w3.org>]
> > On Behalf Of Web Security Context Working Group Issue Tracker
> > Sent: Tuesday, November 06, 2007 9:50 AM
> > To: *public-wsc-wg@w3.org* <public-wsc-wg@w3.org>
> >
> > Subject: ISSUE-131 (Code outside browser): Executing code outside of
> > browser in *8.3.2.3* <http://8.3.2.3/>is vague / scary [All]
> >
> >
> >
> > ISSUE-131 (Code outside browser): Executing code outside of browser in
> > *
> > **8.3.2.3* <http://8.3.2.3/>is vague / scary [All]
> > *
> > **http://www.w3.org/2006/WSC/track/issues/*<http://www.w3.org/2006/WSC/track/issues/>
> >
> > Raised by: Ian Fette
> > On product: All
> > *
> > *
> > *8.3.2.3* <http://8.3.2.3/>says "Web user agents MUST inform the user
> > and request consent
> > when web content attempts to install or execute software outside of the
> > browser environment."
> >
> > This is a bit vague and probably not what we intend. For instance, when
> > you navigate to a PDF on a browser using Acrobat Reader w/NPAPI plugin,
> > what happens is that there is a plugin running in the browser, and then
> > Acrobat Reader launches in the browser, and there's a ton of IPC between
> > the plugin and Reader running in the background (which is doing the
> > heavy lifting). This is executing software outside of the browser
> > environment, yet I don't think this is really what we were intending to
> > warn users about. At least, I will scream if I get a popup every time I
> > navigate to a PDF. Seriously.
> >
> >
> >
> >
> >
> >
> >
> >
> >
>
Received on Thursday, 20 December 2007 22:23:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:55 GMT