Re: obscuring SCI from Joe Steele on 2009-11-10 (public-wsc-wg@w3.org from November 2009)

From: Joe Steele <steele@adobe.com>
Date: Tue, 10 Nov 2009 14:22:50 -0800
To: Mary Ellen Zurko <mzurko@us.ibm.com>
CC: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
Message-ID: <C71F27BA.DF3D%steele@adobe.com>

I still say MUST. I looked at the pictures provide and I would argue that:

1. the case where the second browser instance obscures the indicator is not something we should cover. Maybe we could change the text to better distinguish between to browser windows and browser tabs, but I am not convinced of that. I don't have a suggestion for better text.
2. the case where the select box covers the security indicator is bad. The select should be clipped within the browser frame like all the other content. I agree this is fairly benign but I have seen instances where there are redraw problems and bits from the selector are left obscuring browser chrome. It's a slippery slope.

Joe

On 11/9/09 12:01 PM, "Mary Ellen Zurko" <mzurko@us.ibm.com> wrote:

Straw poll:

A) Web user agents <http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#def-user-agent> MUST prevent web content from obscuring, hiding, or disabling user interfaces that display security context information without user interactions.
B) Web user agents <http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#def-user-agent> SHOULD prevent web content from obscuring, hiding, or disabling user interfaces that display security context information.
C) Abstain

I vote B. I still don't like my rewording.

We'll finish with this poll at the meeting this week.

From:Mary Ellen Zurko/Westford/IBM@Lotus
To:public-wsc-wg@w3.org
Date:10/30/2009 05:05 PM
Subject:obscuring SCI
Sent by:public-wsc-wg-request@w3.org
________________________________

In his latest email, Adam Barth sent an excellent example of a browser that would claim compliance (Chrome) but provides a way for content to obscure SCI when the user interacts with that content (first picture):
http://lists.w3.org/Archives/Public/public-wsc-wg/2009Oct/0024.html <http://lists.w3.org/Archives/Public/public-wsc-wg/2009Oct/0024.html>

The part of the spec that this might violate is 7.4.1, first paragraph:
Web user agents <http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#def-user-agent> MUST prevent web content from obscuring, hiding, or disabling user interfaces that display security context information.

In the meeting, we discussed this. There were two schools of thought. One was the simple downgrade from MUST to SHOULD. Another was that the example was clearly not a usable security problem, so why, and was that something we could extend this part of the spec with. The notion was that because the user must interact a specific way with the content to make this happen, that the content could not do it on its own, it was still within the spirit of our intention, and we should find some way to say that instead. I volunteered to take a crack at it. So the second alternative would be to change the text in this fashion:

Web user agents <http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#def-user-agent> MUST prevent web content from obscuring, hiding, or disabling user interfaces that display security context information without user interactions.

I can't say I like this. But I can't come up with anything better. So thoughts? Better proposal? Or is SHOULD the best we can do?

Received on Tuesday, 10 November 2009 22:23:51 UTC