[whatwg] Security risks of persistent background content (Re: Installed Apps)

On Thu, Jul 30, 2009 at 11:09 AM, Maciej Stachowiak <mjs at apple.com> wrote:

> On Jul 29, 2009, at 3:05 PM, Robert O'Callahan wrote:
>
>  What happened to my idea for browsers to have a special window containing
>> tabs for "background apps", which save screen real estate by just showing an
>> icon and title (and a URL or domain?) and no actual tab content? You might
>> modify the UI so that quitting the normal browser leaves this window open,
>> possibly as a separate OS app. Seems to me that this would provide almost
>> exactly the desired functionality but without introducing new security
>> concerns and without requiring a trust decision.
>>
>
> I haven't thought through this option in sufficient detail, but I'm not
> sure that it resolves all of the risks I mentioned or the risks of content
> outliving the page or the browser in general. Here's some questions that
> come immediately to mind:
>
> 1) What exactly does the window look like? Just a normal tabbed browser
> window with a window in each tab? I think users would find that confusing.


I'm not a good person to design the appearance, but I was thinking of a
specialized view, perhaps a narrow vertical list containing the favicon and
the window title, with the domain or URL displayed on mouseover, plus a
close box. Like a vertical list of tab headers.

2) What happens if users close the magic window (which likely they will, if
> it's not obvious what it's for and just seems to be wasting real estate)?
> Are all the background tasks killed or do they secretly keep running? Either
> seems like a bad option.


They die, that's the whole point I guess. There could be an alert before the
window closes, like Firefox has today to warn about closing a window with
many tabs.

3) In what way are users alerted to a new item being opened in the magic
> window - is there a UI for this that can avoid being either too distracting
> or too subtle?


Again, I'm not the best person to design this, but the OS standard "window
bounce" notification and highlighting of newly-inserted tabs until the
window gets focus. Similar to the way, say, an IRC client like Colloquy
alerts for a personal message being received.

4) Is it really ok for web content to survive browser quit and possibly even
> reboot just because there is a visible indicator on screen, without some
> explicit heavyweight form of user opt-in (like Prism)?


I hope so, since you get that in Firefox today if a Web app opens a new
window or tab and then you quit Firefox or reboot the machine. Firefox's
session restore will offer to reopen the tabs and windows next time Firefox
runs (along with a "don't ask me again" checkbox).

I'm not sure it is. Especially if the magic window has tabs, if a number of
> popular web apps start using it, then users will start to blank it out and
> be vulnerable to the same kinds of risks I described (use for a botnet,
> waiting for exploits to be found, etc).


Possibly, I don't know how that would work out.

But if a user has 100 tabs open that get automatically saved and restored
across browser restarts, aren't we already faced with the same problem?
(That is not an unusual scenario, apparently.)

Given the risks I cited for the original form of the feature, I think we
> need to keep in mind that a lot of the security risks are subtle and
> insidious, and we need to be really cautious with any feature of this type.
>

I agree.

Rob
-- 
"He was pierced for our transgressions, he was crushed for our iniquities;
the punishment that brought us peace was upon him, and by his wounds we are
healed. We all, like sheep, have gone astray, each of us has turned to his
own way; and the LORD has laid on him the iniquity of us all." [Isaiah
53:5-6]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20090730/a906f415/attachment.htm>

Received on Wednesday, 29 July 2009 21:13:44 UTC