W3C home > Mailing lists > Public > public-wsc-wg@w3.org > November 2007

RE: ISSUE-131 (Code outside browser): Executing code outside of browser in 8.3.2.3 is vague / scary [All]

From: <michael.mccormick@wellsfargo.com>
Date: Tue, 6 Nov 2007 10:36:50 -0600
Message-ID: <9D471E876696BE4DA103E939AE64164D6C79CD@msgswbmnmsp17.wellsfargo.com>
To: <public-wsc-wg@w3.org>

The "install" part is very important, but the "execute" part is a rabbit
hole we probably don't want to go down.

For example, when I point IE at a resource of MIME type ms/xls, Excel
launches outside the browser as a helper app.  It would be annoying if I
got constant warning messages every time I pull up a XLS, PDF, etc.
Constant warnings = ignored warnings.

I do want to be warned when a page tries to install a plugin like
Acroread, but not every time that plugin runs.  Same for helpers,
toolbars, extensions, ActiveX controls, etc.

-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Web Security Context Working Group Issue Tracker
Sent: Tuesday, November 06, 2007 9:50 AM
To: public-wsc-wg@w3.org
Subject: ISSUE-131 (Code outside browser): Executing code outside of
browser in 8.3.2.3 is vague / scary [All]



ISSUE-131 (Code outside browser): Executing code outside of browser in
8.3.2.3 is vague / scary [All]

http://www.w3.org/2006/WSC/track/issues/

Raised by: Ian Fette
On product: All

8.3.2.3 says "Web user agents MUST inform the user and request consent
when web content attempts to install or execute software outside of the
browser environment."

This is a bit vague and probably not what we intend. For instance, when
you navigate to a PDF on a browser using Acrobat Reader w/NPAPI plugin,
what happens is that there is a plugin running in the browser, and then
Acrobat Reader launches in the browser, and there's a ton of IPC between
the plugin and Reader running in the background (which is doing the
heavy lifting). This is executing software outside of the browser
environment, yet I don't think this is really what we were intending to
warn users about. At least, I will scream if I get a popup every time I
navigate to a PDF. Seriously.
Received on Tuesday, 6 November 2007 16:37:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:53 GMT