- From: David-Sarah Hopwood <david-sarah@jacaranda.org>
- Date: Sat, 24 Oct 2009 03:30:32 +0100
- To: public-webapps@w3.org
mzurko@us.ibm.com wrote: > We are changing 7.4.3 to: >> > User agents often include features that enable Web content to update >> > the user's bookmark file, e.g. through a JavaScript API. If >> > permitted unchecked, these features can serve to confuse users by, >> > e.g., placing a bookmark that goes by the same name as the user's >> > bank, but points to an attacker's site. >> > >> > Web user agents MUST NOT permit Web content to add bookmarks without >> > explicit user consent. This may be too weak. Why should a bookmark ever be added without the user explicitly initiating a bookmark-adding action? It's a bad idea to let web content initiate this and then ask the user whether it's OK. >> > Web user agents MUST NOT permit Web content to add URIs to the >> > user's bookmark collection that do not match the URI of the page >> > that the user currently interacts with. This may be too strong. It's violated by the "Bookmark This Link" option that many browsers have in the context menu for a hyperlink. The linked URI is not the URI of the page that the user currently interacts with. I suggest replacing both sentences with: Web user agents MUST NOT permit Web content to add bookmarks except as the result of an explicit user action. The URI added by such an action SHOULD match the expectation of the user; it SHOULD NOT be an URI other than that of the page the user currently interacts with, unless the user interface is such that a user would expect otherwise (for example, as in the case of "Bookmark This Link" in the context menu of a hyperlink). -- David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
Received on Saturday, 24 October 2009 02:31:13 UTC