- From: Serge Egelman <egelman@cs.cmu.edu>
- Date: Mon, 09 Apr 2007 09:44:15 -0400
- To: "Close, Tyler J." <tyler.close@hp.com>, public-wsc-wg@w3.org
There's another attack that has to do with whether the page has finished rendering: A lot of anti-phishing tools won't examine the page until it has completed rendering. This leads to an attack where the phisher can include code to force the page to take an infinite time to load, thus causing the indicator to fail. I wrote about this here: http://lorrie.cranor.org/pubs/toolbars.html serge Thomas Roessler wrote: > On 2007-04-05 00:34:00 -0000, Close, Tyler J. wrote: > >> I've edited the "Available security information" section in >> accordance with the discussion that generated ACTION-157. In >> particular, I've added some preamble text describing the >> structure of the section and broadened the "Provided by HTML" >> section into "Provided by web content". I've also added an entry >> to "Provided by user agent" for "Has the page completed >> rendering?" This last item comes out of the white text on a white >> background case that results from failing to fetch a stylesheet. > > That's a fascinating attack vector. But consider what happens if a > user stylesheet is in place that sets the text color to white, > globally, and with an "!important" declaration... > > I guess what all this boils down to is the question whether a page > as rendered to a particular user "looks" the way it was intended. > And that, in turn, leads us directly here: > > http://www.w3.org/TR/webarch/#pci > > I wonder if we really want to go down that particular direction of > discussion... > > Coming back to the "has page complete rendering" piece of context, I > wonder if there is a security-related motivation for looking at it > that is different from the issues that you get when content can be > presented in multiple ways, possibly by way of multiple modalities. > > If there is no such motivation, then I'd respectfully suggest we > drop it. > -- /* PhD Candidate Vice President for External Affairs, Graduate Student Assembly Carnegie Mellon University Legislative Concerns Chair National Association of Graduate-Professional Students */
Received on Monday, 9 April 2007 13:45:30 UTC