Re: "Chrome" from Chuck Wade on 2007-02-12 (public-wsc-wg@w3.org from February 2007)

From: Chuck Wade <Chuck@Interisle.net>
Date: Mon, 12 Feb 2007 15:44:21 -0500
To: Brad Porter <brad@tellme.com>
CC: public-wsc-wg@w3.org
Message-ID: <45D0D1A5.4010605@Interisle.net>
Brad Porter wrote:
>
> These are a good set of questions to use to test the two definitions I 
> suggested:
>
>> window chrome -- visual elements used by Desktop browsers or the OS 
>> window manager to surround the web page
>>
>> browser-controlled presentation elements -- any user interface 
>> presentation controlled explicitly by the browser and not under 
>> direct web page control
>
> Tests below...
>
> Chuck Wade wrote:
>> Brad, et al,
>>
>> [snip...]
>>
>>   2. What about the menu bar? Here we need to be careful that we don't
>>      get caught up in the OS wars.
> The menu bar is "window chrome".  Window chrome is a type of 
> "browser-controlled presentation element".
Ah, but if you use a Mac, the menu bar is OS chrome. Even the 
application menu elements are under the control of the Mac OS. Different 
strokes for different folks.
>>
>>   3. Speaking of the OS wars, should we at least consider the
>>      relationship of the OS to the browser? After all, the more
>>      complete trust relationship is User => OS => Browser => Web. 
> I think the user trust relationship is still with the browser, but the 
> browser has a dependency on the OS.
>
> Historically, the user has not expected the OS to make any statements 
> about network resources and HTTP has been at a layer slightly above 
> the OS consideration.
This distinction is getting blurred, and perhaps we should also consider 
what the optimal assignment of responsibilities should be. For one 
thing, the certificate trust stores have been moving into the OS realm, 
and user management of certs and password vaults is increasingly moving 
out of the browser. To cite one example, the popularity of RoboForm as a 
means for managing passwords and forms autofill across multiple browsers 
on the same OS is shifting the focus of user trust to other system 
modules besides the browser.
>>      Let's
>>      be real, the interaction between the OS and the browser has been a
>>      contentious issue of the past, and it's likely to remain so in the
>>      future. 
> Historically, the OS has largely punted and left security context 
> presentation information for network resources to the application.  
> This seems to be changing to some extent with Windows Vista.
And also with new versions of the Mac OS and new Linux distros. I 
brought this point up because it seems that there are some fundamental 
shifts taking place in what parts of the system manage presentation of 
security context.
>>      Would we be putting our heads in the sand if we ignore
>>      this issue? It is the OS that controls the display in the first
>>      place, and OS vendors already leverage this point of control
>>      within the browser context to their own advantage, but also to the
>>      advantage of users.
> I think it is a fair question to ask who is responsible for presenting 
> security context information -- the browser or the OS.  We may need a 
> definition of browser to complete this mix.  As OSes begin to 
> incorporate more HTTP and XML rendering into their core capabilities, 
> they become browsers.
> However, I think much of our security context consideration may be 
> able to remain agnostic to whether the browsing functionality comes 
> from the OS or an application.
I completely agree. However, I think WSC may have to expand it's focus 
if we are to avoid irrelevance in a changing environment.

By the way, the browser can also be embedded in other applications. As 
an example, you've been able to use Adobe Acrobat as a browser within a 
pdf document context for a long time. I've done major web research 
entirely within Acrobat at times. This capability will probably show up 
in the next version of Microsoft Office (and it's also part of IBM's 
Notes). We also see examples of Mozilla's Gecko engine, Konqueror, and 
Apple's Safari embedded within other application contexts providing full 
Web browsing capabilities, but within a different user context. 
Sometimes the users don't even realize they're browsing (e.g., Apple's 
iTunes Music Store).
>>   4. Should there be standard conventions for how to display the state
>>      of browser content controls within the default window frame
>>      "chrome" areas? (e.g., popups currently blocked) Can we keep this
>>      from leading to another round of toolbar mania?
> I think that is what the group is trying to do.  I'm not convinced 
> that it should be withing "window chrome", but certainly we're trying 
> to standardize how that information is presented in the 
> "browser-controlled presentation elements."
There may also be important connections to define between the indicators 
and buttons that are in the "window chrome" with "browser-controlled 
presentation elements" that extend the browser's ability to interact 
with the user.
>>
>>   5. Can any of this be made understandable to users? Aside, I contend
>>      that users will make the effort to understand and become facile
>>      with what matters to them and their browsing experience, but not
>>      necessarily what browser vendors or Web site content developers
>>      think should matter to users.
> That is clearly the core problem we're trying to solve.
Yep.
>>
>>   6. Is there a way to factor out a lot of the confusing knobs, dials,
>>      and indicators, and get to some simple "idiot-proofed" controls
>>      (analogous to "idiot lights" on an automobile dashboard). Here's
>>      where the "safe browsing" mode could come into play--a
>>      comprehensible mode that eliminates a lot of the clutter, but
>>      establishes confidence in the user that they can  reasonably
>>      determine whether or not to trust what's in front of their face.
> "Safe browsing" mode is one potential model for representing security 
> context information, but not the only one.  I also refer to my earlier 
> post, where it appears that the only thing we may really need to 
> safeguard is the submission of data.  Having an entire browser mode 
> dedicated to making sure that a form submit is secure seems perhaps 
> overkill.
For the most part I agree with you, and with the points you made in your 
earlier post. I referenced the "safe browser mode" to help illustrate 
the point about reducing complexity. However, I do think there are some 
issues of trust that relate only to the presentation of information, not 
just the submission of information. For example, a phraudster might try 
to convince victims that their 401k accounts had been wiped out as a 
prelude to getting them to call a telephone number where the nice person 
will take all their information to "fix" the problem. In general, as 
people become more reliant on the information they receive through their 
browsers, the ability to gain confidence in the veracity of both the 
source and the content will become increasingly important.
>>
>>   7. Where do we draw the distinction between browser controls (whether
>>      or not within the chrome) and controls associated with other
>>      content presentation tools within the same Web page? (e.g.,
>>      Acrobat, Flash, RealMedia, QuickTime, WM.) How would users like
>>      for these controls to be presented? Should we care?
> The important point which you make above is that the user needs to 
> establish trust to the browser clearly.  Therefore the browser needs 
> to clearly differentiate the "browser-controlled presentation 
> elements" from any other presentation elements displayed by the web 
> page or any plugin.
Except that most browsers don't do this today, nor do they provide the 
user with an ability to ascertain what content presentation tools are 
controlling the display of information on their screens. While seamless 
integration of various content presentation tools can be useful, it can 
also be a source of some troubling vulnerabilities.
>
> --Brad
>
...Chuck
Received on Monday, 12 February 2007 20:44:54 UTC