Re: Available security information section clarification

On 2007-04-05 00:34:00 -0000, Close, Tyler J. wrote:

> I've edited the "Available security information" section in
> accordance with the discussion that generated ACTION-157. In
> particular, I've added some preamble text describing the
> structure of the section and broadened the "Provided by HTML"
> section into "Provided by web content". I've also added an entry
> to "Provided by user agent" for "Has the page completed
> rendering?" This last item comes out of the white text on a white
> background case that results from failing to fetch a stylesheet.

That's a fascinating attack vector.  But consider what happens if a
user stylesheet is in place that sets the text color to white,
globally, and with an "!important" declaration...

I guess what all this boils down to is the question whether a page
as rendered to a particular user "looks" the way it was intended.
And that, in turn, leads us directly here:

  http://www.w3.org/TR/webarch/#pci

I wonder if we really want to go down that particular direction of
discussion...

Coming back to the "has page complete rendering" piece of context, I
wonder if there is a security-related motivation for looking at it
that is different from the issues that you get when content can be
presented in multiple ways, possibly by way of multiple modalities.

If there is no such motivation, then I'd respectfully suggest we
drop it.

-- 
Thomas Roessler, W3C  <tlr@w3.org>

Received on Sunday, 8 April 2007 18:11:37 UTC