Fwd: [Moderator Action (size limit exceeded)] Re: Re: Request for Reviewers: Section 7.4 of Web Security Context: User Interface Guidelines; deadline Sep 24 ( LC-2255) from Thomas Roessler on 2009-10-28 (public-usable-authentication@w3.org from October 2009)

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 28 Oct 2009 09:27:52 +0900
To: public-usable-authentication@w3.org
Cc: Thomas Roessler <tlr@w3.org>, Adam Barth <w3c@adambarth.com>
Message-Id: <9EA46B65-5AFD-49BF-A55B-0EACECAB3152@w3.org>
For a version of this message with all attachments, see:
   http://lists.w3.org/Archives/Public/public-wsc-wg/2009Oct/0024.html

(Mailing list size limits in effect...)
--
Thomas Roessler, W3C  <tlr@w3.org>







Begin forwarded message:

> From: Adam Barth <w3c@adambarth.com>
> Date: 25 October 2009 02:53:09 GMT+09:00
> To: mzurko@us.ibm.com
> Cc: public-usable-authentication@w3.org, public-webapps <public-webapps@w3.org 
> >, Thomas Roessler <tlr@w3.org>, Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com 
> >
> Subject: [Moderator Action (size limit exceeded)] Re: Re: Request  
> for Reviewers: Section 7.4 of Web Security Context: User Interface  
> Guidelines; deadline Sep 24 ( LC-2255)
>
> It's too bad you didn't CC me on the discussion because I think you
> misunderstood several of my points.
>
> On Fri, Oct 23, 2009 at 1:33 PM,  <mzurko@us.ibm.com> wrote:
>>>> Web user agents MUST prevent web content from obscuring, hiding, or
>>> disabling security user interfaces.
>>>
>>> This is impossible in a multi-window web user agent in an  
>>> overlapping
>>> window manager (e.g., every major browser on every major
>>> general-purpose operating system).
>>
>> We're not talking about pop ups in the context of "MUST prevent web
>> content from obscuring, hiding, or disabling security user  
>> interfaces."
>
> Then what are you taking about?  I've attached two screen shots of
> this requirement being violated.  First, a <select> control is allowed
> to extend into the browser's address bar.  Second, web content from
> Google is obscuring the EV indicator from Bank of America.
>
> I don't doubt you had something different in mind when you wrote that
> requirement, but that requirement, as written, is basically impossible
> for browser vendors to comply with.  I recommend either removing the
> requirement or writing what you actually mean.
>
>>>> Web user agents MUST NOT allow web content to open new windows with
>>> the browser's security UI hidden.
>>>
>>> This precludes innovative solutions to the full-screen video  
>>> problem,
>>> like Flash's disabling of the keyboard to prevent password theft.
>>
>> Innovative full screen solutions are covered in the interaction  
>> between
>> section 6.1.1 and section 7.1. Section 7.1 says the user agent  
>> cannot open
>> windows without security chrome, however section 6.1.1 specifically  
>> allows
>> for this when going into "presentation mode". The Flash behavior  
>> described
>> falls into this category.
>
> Then the requirements are contradictory.  I recommend revising this
> requirement not to contradict the other parts of the spec.
>
> Also, Firefox, Safari, and Google Chrome violate this requirement by
> allowing user to "install" web applications.  Installed web
> applications are allowed to disable the browser's security user
> interface.
>
> In general, this requirement is narrow-minded and not future-looking.
> I suspect browser vendors will simply ignore it.
>
>>>> Web user agents MUST NOT expose programming interfaces which permit
>>> installation of software without a user intervention.
>>>
>>> What does it mean to install software?
>>
>> Installing software means downloading it for later execution.
>
> You've missed the point.  As desktop applications and web applications
> converge, these concepts become meaningless.  What does it mean to
> "download" or "execute" something?  Is AppCache covered by this
> requirement?  Surely that's "downloading" the cached bits of the web
> application for later "execution" (i.e., use of the web application).
>
> What if a user agent keeps a list of the 10 most recently used web
> applications and stores them in the start menu as if they were native
> applications?  This would seem to violate this requirement yet seems
> perfectly sensible.
>
> In general, this requirement is narrow-minded and not future-looking.
> I suspect browser vendors will simply ignore it.
>
>>>> Web user agents MUST inform the user and request consent when web
>>> content attempts to install software outside of the browser
>>> environment.
>>>
>>> Why can't the user agent simply ignore these attempts?
>>
>> The requirement to notify the user is if the user agent is going to  
>> do the
>> install and not just ignore the attempt.
>
> That's not what the requirement says: "when web content attempts to
> install".  I recommend revising this requirement to say what you mean.
> Actually, I don't think the concept of "installing software" makes
> any sense.  The concept isn't rigorously defined in the spec, and I
> don't think it is possible to give a rigorous future-looking
> definition.
>
>> We are changing 7.4.3 to:
>>> User agents often include features that enable Web content to update
>>> the user's bookmark file, e.g. through a JavaScript API. If
>>> permitted unchecked, these features can serve to confuse users by,
>>> e.g., placing a bookmark that goes by the same name as the user's
>>> bank, but points to an attacker's site.
>>>
>>> Web user agents MUST NOT permit Web content to add bookmarks without
>>> explicit user consent.
>>>
>>> Web user agents MUST NOT permit Web content to add URIs to the
>>> user's bookmark collection that do not match the URI of the page
>>> that the user currently interacts with.
>
> What is a bookmark file?  For example, are the sites featured on the
> new tab page in Opera or Google Chrome part of the bookmark file?  Is
> there a way to determine this without looking through the user's file
> system for a file named "bookmarks"?  The sites on the new tab page
> were added by web content without explicit user consent.  Does that
> violate this requirement?
>
> In general, this requires are not rigorously defined.  I suspect the
> motivation behind adding them to the spec is to blacklist a goofy API
> in Internet Explorer.  However, I don't think this is the right forum
> to complain about Internet Explorer mis-features.
>
> Put another way, shouldn't we have a requirement that web content
> should not be allowed to change the default starting web page without
> explicit user consent?  That seems just as sensible as the bookmark
> requirement.  What about adding or removing buttons from the primary
> navigation toolbar?
>
>>>> Web user agents which offer this restriction SHOULD offer a way to
>>> extend permission to individual trusted sites. Failing to do so
>>> encourages users who desire the functionality on certain sites to
>>> disable the feature universally.
>>>
>>> What if the user agent doesn't expose a user interface to disable  
>>> the
>>> feature universally?
>>
>> Browser vendor experience indicates that if the user agent provides
>> annoying seemingly useless dialogs and do not provide the user with  
>> a way
>> to disable them universally, users switch to another browser.
>
> Is this a guide to building a popular browser?  Browsers offer lots of
> features without ways to universally disable them.  For example, most
> browsers do not allow users to universally disable the "alert" API or
> the ability to draw the letter "e".  The justification for this
> requirement does not make sense because it pre-supposes that the
> browser gives the users certain alternatives.  Can my browser ignore
> the requirement if it does not offer the "dangerous" alternatives?
> Saying that my browser will be unpopular doesn't answer this question.
>
> Adam
>
Received on Wednesday, 28 October 2009 00:27:56 UTC