Re: obscuring SCI from Mary Ellen Zurko on 2009-11-11 (public-wsc-wg@w3.org from November 2009)

From: Mary Ellen Zurko <mzurko@us.ibm.com>
Date: Wed, 11 Nov 2009 11:34:57 -0500
To: "Joe Steele <steele" <steele@adobe.com>
Cc: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
Message-ID: <OF33B0BF46.34FC5C1D-ON8525766B.005AE732-8525766B.005AFCEE@LocalDomain>

We had a 50/50 split during the meeting today. The current count on the 
straw poll is:

A - Joe S, Jan Vidar K
B - Mez, Anil
C - Yngve

Looking for other votes (or changes in votes). I'd like to make the call 
this Friday. Please give an opinion if you haven't already.





From:
Joe Steele <steele@adobe.com>
To:
Mary Ellen Zurko/Westford/IBM@Lotus
Cc:
"public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
Date:
11/10/2009 05:24 PM
Subject:
Re: obscuring SCI



I still say MUST. I looked at the pictures provide and I would argue that:

1.      the case where the second browser instance obscures the indicator 
is not something we should cover. Maybe we could change the text to better 
distinguish between to browser windows and browser tabs, but I am not 
convinced of that. I don?t have a suggestion for better text. 
2.      the case where the select box covers the security indicator is 
bad. The select should be clipped within the browser frame like all the 
other content. I agree this is fairly benign but I have seen instances 
where there are redraw problems and bits from the selector are left 
obscuring browser chrome. It?s a slippery slope.

Joe


On 11/9/09 12:01 PM, "Mary Ellen Zurko" <mzurko@us.ibm.com> wrote:

Straw poll:

A) Web user agents <
http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#def-user-agent> MUST 
prevent web content from obscuring, hiding, or disabling user interfaces 
that display security context information without user interactions. 
B) Web user agents <
http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#def-user-agent> SHOULD 
prevent web content from obscuring, hiding, or disabling user interfaces 
that display security context information. 
C) Abstain

I vote B. I still don't like my rewording. 

We'll finish with this poll at the meeting this week. 



From:Mary Ellen Zurko/Westford/IBM@Lotus
To:public-wsc-wg@w3.org
Date:10/30/2009 05:05 PM
Subject:obscuring SCI
Sent by:public-wsc-wg-request@w3.org



In his latest email, Adam Barth sent an excellent example of a browser 
that would claim compliance (Chrome) but provides a way for content to 
obscure SCI when the user interacts with that content (first picture): 
http://lists.w3.org/Archives/Public/public-wsc-wg/2009Oct/0024.html <
http://lists.w3.org/Archives/Public/public-wsc-wg/2009Oct/0024.html> 

The part of the spec that this might violate is 7.4.1, first paragraph: 
Web user agents <
http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#def-user-agent> MUST 
prevent web content from obscuring, hiding, or disabling user interfaces 
that display security context information. 

In the meeting, we discussed this. There were two schools of thought. One 
was the simple downgrade from MUST to SHOULD. Another was that the example 
was clearly not a usable security problem, so why, and was that something 
we could extend this part of the spec with. The notion was that because 
the user must interact a specific way with the content to make this 
happen, that the content could not do it on its own, it was still within 
the spirit of our intention, and we should find some way to say that 
instead. I volunteered to take a crack at it. So the second alternative 
would be to change the text in this fashion:

Web user agents <
http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#def-user-agent> MUST 
prevent web content from obscuring, hiding, or disabling user interfaces 
that display security context information without user interactions. 

I can't say I like this. But I can't come up with anything better. So 
thoughts? Better proposal? Or is SHOULD the best we can do?

Received on Wednesday, 11 November 2009 16:34:37 UTC