- From: Mike Beltzner <beltzner@mozilla.com>
- Date: Mon, 26 Mar 2007 15:12:05 -0400
- To: "Close, Tyler J." <tyler.close@hp.com>
- Cc: "Web Security Context WG" <public-wsc-wg@w3.org>
On 26-Mar-07, at 2:17 PM, Close, Tyler J. wrote: > Hi Mike, > > I don't yet understand in what way the favicon text is currently > misleading. Could you please clarify? The current section (http://www.w3.org/TR/wsc-usecases/#favicon) reads: ------------------- 9.2.5 Favicon The URL bar may display a logo retrieved from a location specified in the web site's content, or discovered in a well known location [favicon]. In either case, the choice to display a logo, and what image to use, is at the discretion of the visited web site. Often the padlock icon is also displayed in the URL bar. An attacker may confuse the user by using a favicon with the exact same image as is used for the padlock icon. In this case the user may believe that SSL is being used, when it is not. ------------------- My suggestion was: ------------------- 9.2.5 Favicon Websites can specify a small graphic called a [favicon] to act as an icon that appears in the URL bar in most desktop web browsers and on the tabs in some browsers. While the desktop web browsers control this chrome, none place any restrictions on the type of websites or type of images that will be displayed. As a result, a website can choose to display a favicon that looks exactly like the padlock icon that is displayed in the URL bar by many browsers to indicate an SSL connection. In this case the user may believe that SSL is being used, when it is not. ------------------- > browser displays it as provided. I don't see how it can be argued that > the current text is misleading. I think the sentence in question is: > > "In either case, the choice to display a logo, and what image to > use, is at the discretion of the visited web site." That's precisely what's misleading to my eye. The fact that favicon support exists does not mean that the choice to display a logo is not at the discretion of the website. It's actually at the discretion of the browser and the website; the browser must allow the website to display it, and the website must specify it. Also, I find my phrasing of the first paragraph easier to read than yours ;) That no browser currently restricts that usage is merely a policy issue. It can be turned on and off per website or per state as we wish. The more I look at that section in comparison to those around it in 9.2, I notice ..: - it's the only one to mention a specific type of attack (using the padlock icon) - it's the only one I seemed to get prickly about explicitly calling out that browsers could restrict, when in truth, browsers *could* restrict any of the other spaces listed in that section as well. - the introduction to 9.2 sets up the constant attack vector here, which is using information pulled from content and displayed in chrome to confuse users How's this as an alternative - the subsections of 9.2 should just list where content is displayed in chrome. So: ------------------- 9.2.5 Favicon Websites can specify a small graphic called a [favicon] to act as an icon that appears in the URL bar in most desktop web browsers and on the tabs in some browsers. ------------------- I would similarly suggest that we change ..: 9.2.1 s/the attacker has full control over the content of the displayed web page /This field is specified by the web page being viewed./ 9.2.3 s/The current web page's URL is chosen by the creator of the referring hyperlink. When an attacker is directing victims to an imposter web site, the attacker is the creator of the referring hyperlink. /The current web page's URL is chosen by the creator of the web page and the operator of the web server. It is displayed in the location bar of all browsers./ Lemme know if I should raise another action here, or if you disagree (I bet you will!) cheers, mike
Received on Monday, 26 March 2007 19:12:11 UTC