RE: [widgets] window modes in P&C, was Re: Small question aboutlatestversionof "P&C specs" (11th Mar 2009)

I received an email from Arve explaining the possible "spoofing"
scenario.

He says this, and I think he is right:
<Arve>
> Forgive my ignorance, but... "spoofing attack"? O_o

1. Widget A is started in "Floating mode"
2. Widget A requests, and gets a mode change to "Application mode"
3. Widget A creates UI that looks like widget application grid 4. User
thinks she or he is interacting with the application grid, and starts
widget B 5. User types sensitive data into what she or he thinks is
Widget B, while typing into widget A. 
</Arve>

Given this, I agree with Arve and I think we are fine here.

Regards

---
Ivan De Marino
Orange Labs
Mobile and Web Software Engineer, R&D UK
tel. +44 20 8849 5806
mob. +44 7515 955 861
mob. +44 7974 156 216
ivan.demarino@orange-ftgroup.com


This e-mail, and any files transmitted with it, is intended only for the
use of the person/s or entity to whom it is addressed. If you are not
the intended recipient (or authorised to receive information for the
intended recipient) you must not use, disclose, copy, print or rely on
this e-mail. If an addressing or transmission error has misdirected this
e-mail, please notify the author by replying to this e-mail and delete
all copies of this e-mail.  Thank you.

France Telecom R&D UK Ltd is a company registered in England and Wales
with company number 4193379. Our registered office is Minerva House,
Montague Close, London, SE1 9BB.

-----Original Message-----
From: Marcos Caceres [mailto:marcosc@opera.com] 
Sent: 11 May 2009 13:59
To: DE MARINO Ivan RD-ILAB-LON
Cc: arveb@opera.com; public-webapps@w3.org
Subject: Re: [widgets] window modes in P&C, was Re: Small question
aboutlatestversionof "P&C specs" (11th Mar 2009)



On 5/11/09 1:43 PM, ivan.demarino@orange-ftgroup.com wrote:
> Forgive my ignorance, but... "spoofing attack"? O_o
>

I guess Arve means click jacking.

> I'll explain the scenario I have in mind:
> - Widget calls the API "requestModeChange(<string representing a 
> desired
> mode>);"
> - WUA checks if that mode is valid (the string is valid) and if the 
> WUA "likes" the mode (there could be WUA that supports only 
> "fullscreen", for example)
> - WUA does a "modechange" on the Widget

would it not be easier to just set the widget.viewMode property? If it
works, then the mode changes, onModeChange is fired. If it fails,
nothing happens (or an error is thrown):

function changeMode(aMode){
    widget.viewMode = aMode;
}

widget.onModeChange = function(){
    ...
}

changeMode("banana"); //nothing happens
changeMode("mini"); //nothing happens

What might be useful is an event object that tells you what the window
mode changed from to... maybe.

> Where exactly you think there could be a "confused UI" or a
"spoofing"?

I guess a floating widget that mimics another application, or a full
screen widget that emulates a locked screen asking you to enter your
username and password.

>
>
> ---
> Ivan De Marino
> Orange Labs
> Mobile and Web Software Engineer, R&D UK
> tel. +44 20 8849 5806
> mob. +44 7515 955 861
> mob. +44 7974 156 216
> ivan.demarino@orange-ftgroup.com
>
>
> This e-mail, and any files transmitted with it, is intended only for
the
> use of the person/s or entity to whom it is addressed. If you are not
> the intended recipient (or authorised to receive information for the
> intended recipient) you must not use, disclose, copy, print or rely on
> this e-mail. If an addressing or transmission error has misdirected
this
> e-mail, please notify the author by replying to this e-mail and delete
> all copies of this e-mail.  Thank you.
>
> France Telecom R&D UK Ltd is a company registered in England and Wales
> with company number 4193379. Our registered office is Minerva House,
> Montague Close, London, SE1 9BB.
>
> -----Original Message-----
> From: Arve Bersvendsen [mailto:arveb@opera.com]
> Sent: 11 May 2009 12:25
> To: DE MARINO Ivan RD-ILAB-LON; marcosc@opera.com
> Cc: public-webapps@w3.org
> Subject: Re: [widgets] window modes in P&C, was Re: Small question
> aboutlatestversion of "P&C specs" (11th Mar 2009)
>
> On Mon, 11 May 2009 13:14:40 +0200,<ivan.demarino@orange-ftgroup.com>
> wrote:
>
>> About the "widget requesting a resize", I sent in the past an email
to
>
>> Arve about something similar but not quite the same: a sort of
>> "request mode change" or something. This would allow widgets to ASK
>> the WUA for "mode change".
>> Any news about that?
>
> As I've noted in the past, I don't really think this is a good idea,
as
> the distinction between "floating" and "application" (or whatever we
do
> with this in the end), will result in a confusing UI at best. At
worst,
> we could end with UI spoofing attacks.
>
> --
> Arve Bersvendsen
>
> Opera Software ASA, http://www.opera.com/

Received on Monday, 11 May 2009 13:12:59 UTC