- From: Close, Tyler J. <tyler.close@hp.com>
- Date: Thu, 21 Dec 2006 12:20:14 -0600
- To: <public-wsc-wg@w3.org>
Mary Ellen Zurko wrote: > There's only one thing potentially missing in the rearrangement. > While much of "Attacks" was redundant with "Use Cases", we don't > have enough on attacks that overwrite or otherwise disable > security context information in existing user agents. We you > going to flesh that out in NoteProblemsWithCurrentUserInterface? > If not, I'll call for a volunteer on that. I was planning on a sub-section on spoofing the chrome. This sub-section would include: * Configuring the browser to have no chrome, and then displaying spoof chrome * Maximizing the browser window, or even making it larger than the display, and displaying a floating DIV tag that emulates a full browser window * Bringing up the attacked site in a normal browser window and overlaying a frameless pop-up window over the login form. * Visually extending the chrome by putting matching spoof chrome in the page area, but directly under the real chrome. For each of these, I think the weakness can be made clear with a couple of sentences, and a screenshot. I typically think of a use-case as being a multi-step interaction. What is the convention in W3C documents? Are these points typically made with a use-case, or with a short text description? Also, Thomas pointed out that we must not use any trademarks in a W3C document. What's the policy on including screenshots taken from trademarked applications? I wasn't planning on including any text on overwriting the chrome by exploiting browser bugs. These should be out of scope, though our malware section isn't clear on that point yet. Tyler
Received on Thursday, 21 December 2006 18:20:40 UTC