Re: ACTION-571: Draft text about showing unrelated identity signals

Good point. I think we should probably only include "security sensitive information" that the user must interact with, i.e. dialogs. That was the case that was brought up. Passive information like security indicators in the chrome are ok to exclude.

Unfortunately you are right -- this is not the way Firefox 3.x or Safari4 or IE7 behaves at least with regards to tabs and http basic auth. Not sure about Opera. So does that mean we should punt on this change?

I do think this would be good behavior - that is hiding dialogs associated with one tabs when you switch to another. But I could be swayed by the argument that this does not represent "accepted best practice" so is not for this document.

Joe

On 4/3/09 1:19 AM, "Thomas Roessler" <tlr@w3.org> wrote:

So, if the scenario is that we have four browser windows on the
screen, each of them with their own indicators (padlock, colored
address bar, ...), then only one of them is supposed to show an
indicator?

I'm pretty sure that that doesn't match what currently happens.  I
also don't know whether this is a well-considered change from current
behavior:  I could very well see usefulness in having several sets of
passive indicators on the screen *if* they are usefully related to the
pages that people interact with, or with the locus of attention.

--
Thomas Roessler, W3C  <tlr@w3.org>







On 2 Apr 2009, at 19:05, Joe Steele wrote:

> From the last meeting, in reference to comment #2 from one of the
> reviewers (http://lists.w3.org/Archives/Public/public-usable-authentication/2009Mar/0001.html
> ) Mez and I came up with the following text for a new section 7.3:
>
> "Browsers SHOULD NOT display security sensitive information for page
> content which the user is not interacting with. Security sensitive
> information includes security indicators, dialogs prompting for user
> credentials, script errors and dialogs."
>
> Please suggest improvements to both wording and content.
>
> Joe Steele