W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2009

[whatwg] Security risks of persistent background content (Re: Installed Apps)

From: Maciej Stachowiak <mjs@apple.com>
Date: Wed, 29 Jul 2009 16:09:47 -0700
Message-ID: <5BF539F6-B05B-4B6E-ADF4-D5865CCC418F@apple.com>

On Jul 29, 2009, at 3:05 PM, Robert O'Callahan wrote:

> What happened to my idea for browsers to have a special window  
> containing tabs for "background apps", which save screen real estate  
> by just showing an icon and title (and a URL or domain?) and no  
> actual tab content? You might modify the UI so that quitting the  
> normal browser leaves this window open, possibly as a separate OS  
> app. Seems to me that this would provide almost exactly the desired  
> functionality but without introducing new security concerns and  
> without requiring a trust decision.

I haven't thought through this option in sufficient detail, but I'm  
not sure that it resolves all of the risks I mentioned or the risks of  
content outliving the page or the browser in general. Here's some  
questions that come immediately to mind:

1) What exactly does the window look like? Just a normal tabbed  
browser window with a window in each tab? I think users would find  
that confusing.

2) What happens if users close the magic window (which likely they  
will, if it's not obvious what it's for and just seems to be wasting  
real estate)? Are all the background tasks killed or do they secretly  
keep running? Either seems like a bad option.

3) In what way are users alerted to a new item being opened in the  
magic window - is there a UI for this that can avoid being either too  
distracting or too subtle?

4) Is it really ok for web content to survive browser quit and  
possibly even reboot just because there is a visible indicator on  
screen, without some explicit heavyweight form of user opt-in (like  
Prism)? I'm not sure it is. Especially if the magic window has tabs,  
if a number of popular web apps start using it, then users will start  
to blank it out and be vulnerable to the same kinds of risks I  
described (use for a botnet, waiting for exploits to be found, etc).

Given the risks I cited for the original form of the feature, I think  
we need to keep in mind that a lot of the security risks are subtle  
and insidious, and we need to be really cautious with any feature of  
this type.

Regards,
Maciej
Received on Wednesday, 29 July 2009 16:09:47 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:14 UTC