Re: Re: Request for Reviewers: Section 7.4 of Web Security Context: User Interface Guidelines; deadline Sep 24 ( LC-2255)

It's too bad you didn't CC me on the discussion because I think you
misunderstood several of my points.

On Fri, Oct 23, 2009 at 1:33 PM,  <mzurko@us.ibm.com> wrote:
>> > Web user agents MUST prevent web content from obscuring, hiding, or
>> disabling security user interfaces.
>>
>> This is impossible in a multi-window web user agent in an overlapping
>> window manager (e.g., every major browser on every major
>> general-purpose operating system).
>
> We're not talking about pop ups in the context of "MUST prevent web
> content from obscuring, hiding, or disabling security user interfaces."

Then what are you taking about?  I've attached two screen shots of
this requirement being violated.  First, a <select> control is allowed
to extend into the browser's address bar.  Second, web content from
Google is obscuring the EV indicator from Bank of America.

I don't doubt you had something different in mind when you wrote that
requirement, but that requirement, as written, is basically impossible
for browser vendors to comply with.  I recommend either removing the
requirement or writing what you actually mean.

>> > Web user agents MUST NOT allow web content to open new windows with
>> the browser's security UI hidden.
>>
>> This precludes innovative solutions to the full-screen video problem,
>> like Flash's disabling of the keyboard to prevent password theft.
>
> Innovative full screen solutions are covered in the interaction between
> section 6.1.1 and section 7.1. Section 7.1 says the user agent cannot open
> windows without security chrome, however section 6.1.1 specifically allows
> for this when going into "presentation mode". The Flash behavior described
> falls into this category.

Then the requirements are contradictory.  I recommend revising this
requirement not to contradict the other parts of the spec.

Also, Firefox, Safari, and Google Chrome violate this requirement by
allowing user to "install" web applications.  Installed web
applications are allowed to disable the browser's security user
interface.

In general, this requirement is narrow-minded and not future-looking.
I suspect browser vendors will simply ignore it.

>> > Web user agents MUST NOT expose programming interfaces which permit
>> installation of software without a user intervention.
>>
>> What does it mean to install software?
>
> Installing software means downloading it for later execution.

You've missed the point.  As desktop applications and web applications
converge, these concepts become meaningless.  What does it mean to
"download" or "execute" something?  Is AppCache covered by this
requirement?  Surely that's "downloading" the cached bits of the web
application for later "execution" (i.e., use of the web application).

What if a user agent keeps a list of the 10 most recently used web
applications and stores them in the start menu as if they were native
applications?  This would seem to violate this requirement yet seems
perfectly sensible.

In general, this requirement is narrow-minded and not future-looking.
I suspect browser vendors will simply ignore it.

>> > Web user agents MUST inform the user and request consent when web
>> content attempts to install software outside of the browser
>> environment.
>>
>> Why can't the user agent simply ignore these attempts?
>
> The requirement to notify the user is if the user agent is going to do the
> install and not just ignore the attempt.

That's not what the requirement says: "when web content attempts to
install".  I recommend revising this requirement to say what you mean.
 Actually, I don't think the concept of "installing software" makes
any sense.  The concept isn't rigorously defined in the spec, and I
don't think it is possible to give a rigorous future-looking
definition.

> We are changing 7.4.3 to:
>> User agents often include features that enable Web content to update
>> the user's bookmark file, e.g. through a JavaScript API. If
>> permitted unchecked, these features can serve to confuse users by,
>> e.g., placing a bookmark that goes by the same name as the user's
>> bank, but points to an attacker's site.
>>
>> Web user agents MUST NOT permit Web content to add bookmarks without
>> explicit user consent.
>>
>> Web user agents MUST NOT permit Web content to add URIs to the
>> user's bookmark collection that do not match the URI of the page
>> that the user currently interacts with.

What is a bookmark file?  For example, are the sites featured on the
new tab page in Opera or Google Chrome part of the bookmark file?  Is
there a way to determine this without looking through the user's file
system for a file named "bookmarks"?  The sites on the new tab page
were added by web content without explicit user consent.  Does that
violate this requirement?

In general, this requires are not rigorously defined.  I suspect the
motivation behind adding them to the spec is to blacklist a goofy API
in Internet Explorer.  However, I don't think this is the right forum
to complain about Internet Explorer mis-features.

Put another way, shouldn't we have a requirement that web content
should not be allowed to change the default starting web page without
explicit user consent?  That seems just as sensible as the bookmark
requirement.  What about adding or removing buttons from the primary
navigation toolbar?

>> > Web user agents which offer this restriction SHOULD offer a way to
>> extend permission to individual trusted sites. Failing to do so
>> encourages users who desire the functionality on certain sites to
>> disable the feature universally.
>>
>> What if the user agent doesn't expose a user interface to disable the
>> feature universally?
>
> Browser vendor experience indicates that if the user agent provides
> annoying seemingly useless dialogs and do not provide the user with a way
> to disable them universally, users switch to another browser.

Is this a guide to building a popular browser?  Browsers offer lots of
features without ways to universally disable them.  For example, most
browsers do not allow users to universally disable the "alert" API or
the ability to draw the letter "e".  The justification for this
requirement does not make sense because it pre-supposes that the
browser gives the users certain alternatives.  Can my browser ignore
the requirement if it does not offer the "dangerous" alternatives?
Saying that my browser will be unpopular doesn't answer this question.

Adam