- From: Arve Bersvendsen <arveb@opera.com>
- Date: Mon, 11 May 2009 15:28:58 +0200
- To: ivan.demarino@orange-ftgroup.com, marcosc@opera.com
- Cc: public-webapps@w3.org
On Mon, 11 May 2009 15:10:57 +0200, <ivan.demarino@orange-ftgroup.com> wrote:
> I received an email from Arve explaining the possible "spoofing"
> scenario.
Oops. I thought I'd sent that mail to everyone, and not just to Ivan personally.
> He says this, and I think he is right:
> <Arve>
>> Forgive my ignorance, but... "spoofing attack"? O_o
>
> 1. Widget A is started in "Floating mode"
> 2. Widget A requests, and gets a mode change to "Application mode"
> 3. Widget A creates UI that looks like widget application grid 4. User
> thinks she or he is interacting with the application grid, and starts
> widget B 5. User types sensitive data into what she or he thinks is
> Widget B, while typing into widget A.
> </Arve>
>
> Given this, I agree with Arve and I think we are fine here.
>
> Regards
>
> ---
> Ivan De Marino
> Orange Labs
> Mobile and Web Software Engineer, R&D UK
> tel. +44 20 8849 5806
> mob. +44 7515 955 861
> mob. +44 7974 156 216
> ivan.demarino@orange-ftgroup.com
>
>
> This e-mail, and any files transmitted with it, is intended only for the
> use of the person/s or entity to whom it is addressed. If you are not
> the intended recipient (or authorised to receive information for the
> intended recipient) you must not use, disclose, copy, print or rely on
> this e-mail. If an addressing or transmission error has misdirected this
> e-mail, please notify the author by replying to this e-mail and delete
> all copies of this e-mail. Thank you.
>
> France Telecom R&D UK Ltd is a company registered in England and Wales
> with company number 4193379. Our registered office is Minerva House,
> Montague Close, London, SE1 9BB.
>
> -----Original Message-----
> From: Marcos Caceres [mailto:marcosc@opera.com]
> Sent: 11 May 2009 13:59
> To: DE MARINO Ivan RD-ILAB-LON
> Cc: arveb@opera.com; public-webapps@w3.org
> Subject: Re: [widgets] window modes in P&C, was Re: Small question
> aboutlatestversionof "P&C specs" (11th Mar 2009)
>
>
>
> On 5/11/09 1:43 PM, ivan.demarino@orange-ftgroup.com wrote:
>> Forgive my ignorance, but... "spoofing attack"? O_o
>>
>
> I guess Arve means click jacking.
>
>> I'll explain the scenario I have in mind:
>> - Widget calls the API "requestModeChange(<string representing a
>> desired
>> mode>);"
>> - WUA checks if that mode is valid (the string is valid) and if the
>> WUA "likes" the mode (there could be WUA that supports only
>> "fullscreen", for example)
>> - WUA does a "modechange" on the Widget
>
> would it not be easier to just set the widget.viewMode property? If it
> works, then the mode changes, onModeChange is fired. If it fails,
> nothing happens (or an error is thrown):
>
> function changeMode(aMode){
> widget.viewMode = aMode;
> }
>
> widget.onModeChange = function(){
> ...
> }
>
> changeMode("banana"); //nothing happens
> changeMode("mini"); //nothing happens
>
> What might be useful is an event object that tells you what the window
> mode changed from to... maybe.
>
>> Where exactly you think there could be a "confused UI" or a
> "spoofing"?
>
> I guess a floating widget that mimics another application, or a full
> screen widget that emulates a locked screen asking you to enter your
> username and password.
>
>>
>>
>> ---
>> Ivan De Marino
>> Orange Labs
>> Mobile and Web Software Engineer, R&D UK
>> tel. +44 20 8849 5806
>> mob. +44 7515 955 861
>> mob. +44 7974 156 216
>> ivan.demarino@orange-ftgroup.com
>>
>>
>> This e-mail, and any files transmitted with it, is intended only for
> the
>> use of the person/s or entity to whom it is addressed. If you are not
>> the intended recipient (or authorised to receive information for the
>> intended recipient) you must not use, disclose, copy, print or rely on
>> this e-mail. If an addressing or transmission error has misdirected
> this
>> e-mail, please notify the author by replying to this e-mail and delete
>> all copies of this e-mail. Thank you.
>>
>> France Telecom R&D UK Ltd is a company registered in England and Wales
>> with company number 4193379. Our registered office is Minerva House,
>> Montague Close, London, SE1 9BB.
>>
>> -----Original Message-----
>> From: Arve Bersvendsen [mailto:arveb@opera.com]
>> Sent: 11 May 2009 12:25
>> To: DE MARINO Ivan RD-ILAB-LON; marcosc@opera.com
>> Cc: public-webapps@w3.org
>> Subject: Re: [widgets] window modes in P&C, was Re: Small question
>> aboutlatestversion of "P&C specs" (11th Mar 2009)
>>
>> On Mon, 11 May 2009 13:14:40 +0200,<ivan.demarino@orange-ftgroup.com>
>> wrote:
>>
>>> About the "widget requesting a resize", I sent in the past an email
> to
>>
>>> Arve about something similar but not quite the same: a sort of
>>> "request mode change" or something. This would allow widgets to ASK
>>> the WUA for "mode change".
>>> Any news about that?
>>
>> As I've noted in the past, I don't really think this is a good idea,
> as
>> the distinction between "floating" and "application" (or whatever we
> do
>> with this in the end), will result in a confusing UI at best. At
> worst,
>> we could end with UI spoofing attacks.
>>
>> --
>> Arve Bersvendsen
>>
>> Opera Software ASA, http://www.opera.com/
--
Arve Bersvendsen
Opera Software ASA, http://www.opera.com/
Received on Monday, 11 May 2009 13:29:42 UTC