- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 10 Jun 2004 19:18:23 +0000 (UTC)
On Thu, 10 Jun 2004, Jose Dinuncio wrote: > > I think I've understood the reason of our divergences. If I interpret > you rightly, the problem is that a intranet user is visiting a insecure > site inside the intranet and a web app pops up and he is fooled to use > this app. Right. Where "insecure" doesn't mean it has any way of doing anything actively hostile, it just fakes the user into entering his credit card details, for example. > The scenario I have in mind is another one: you need to do your job > using several well known web apps in your intranet. You know that the > CRM apps is at http://mydoamin.com/crm. That's it: navigation vs. app > delivery. Oh, I totally understand the requirement. >> Presentational markup is very bad for accessibility. Whatever language >> you use, you would want it to be semantic. And luckily we have this >> semantic language right here and already supported in several >> browsers... HTML. :-) > Ok. But if web apps outside the browser are to be implemented, it would > be necessary a way to attach info to the window (again, menu bar, > control bar, status bar, close button...) Yeah, those would just be extensions to HTML in web-apps 1.0. >> No but it will tell you whether the application is from www.paypal.com >> or hostile.intranet.example.com, even if the actual content looks >> identical in both. > > Security by browser chrome doesn't seem the way to go. How would you do it then? > I'm trying to keep open a path to WAOB. I think this feature can play an > important role in the future of this project. I agree. One possibility would be for the application to be able to "request" WAOB status, maybe using an attribute or something: <html application="application"> ...and this would pop up a dialog box saying: :: Security Warning ::::::::::::::::::::::::::::::::::: | | | The Web page at this domain: | | | | paypcl.com | | | | ...wishes to launch an application in a separate | | window. Do you trust this domain? | | | | [x] Remember this decision. | | | | (( Trust paypcl.com )) ( Display as Web page ) | | | '-----------------------------------------------------' What do people think? Would this solve the problem? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 10 June 2004 12:18:23 UTC