ACTION-346 - Suggest alternate text for 8.1.2 from Johnathan Nightingale on 2007-12-03 (public-wsc-wg@w3.org from December 2007)

From: Johnathan Nightingale <johnath@mozilla.com>
Date: Mon, 3 Dec 2007 16:57:43 -0500
To: W3C WSC W3C WSC Public <public-wsc-wg@w3.org>
Message-Id: <78166436-DE70-462F-9AC0-36F17CE72983@mozilla.com>

The current normative language in 8.1.2 reads:

> Web User Agents MUST NOT display material controlled by Web content  
> in parts of the user interface that are intended or commonly used to  
> communicate trust information to users.


The concern I raised was that, speaking for myself, I don't care about  
*mixture* per se, I care about the ability of content to hijack  
chrome.  I appreciate that the two are linked, but the example I  
raised (which §8.1.3 also uses) was that I have no problem with  
favicons, indeed I think they're an extremely useful cue from a  
usability standpoint.  My problem is with the idea that a favicon  
could be an exact replica of a security indicator like, say, a  
padlock.  I proposed that the solution to this kind of problem lies in  
helping software developers build UIs which do not give chrome and  
content indicators equal weighting.  A favicon can only spoof a  
security indicator if they are both 16x16 icons.

In that vein, then, I would recommend (and I welcome wordsmithing on  
any of this):

1) Changing the normative text in §8.1.2 to read:

> Web User Agents MUST NOT communicate trust information using user  
> interface elements which can be mimicked in chrome by web content.   
> Site-controlled content (e.g. page title, favicon) MAY be hosted in  
> chrome, but this content MUST NOT be displayed in a manner that  
> confuses hosted content and chrome indicators.


2) Removing the MUST NOT bullets in §8.1.3 relating to favicons.  We  
can offer more guidance here though, so that the new section might read:

> 8.1.3 Techniques
>
> This section is normative.
>
> The following technique is neither necessary nor sufficient to claim  
> conformance with the Requirement. However, conformance with this  
> technique entails conformance with the necessary techniques that  
> concern favorite icons.
>
>   - Web User Agents MAY ignore favorite icon [FAVICON] references  
> that are part of Web content.
>   - Web User Agents SHOULD NOT use a 16x16 image in chrome to  
> indicate security status if doing so would allow the FAVICON to  
> mimic it.


Cheers,

J

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com

Received on Monday, 3 December 2007 21:57:58 UTC