Re: ISSUE-131 (Code outside browser): Executing code outside of browser in 8.3.2.3 is vague / scary [All] from Mary Ellen Zurko on 2007-12-20 (public-wsc-wg@w3.org from December 2007)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Thu, 20 Dec 2007 12:20:54 -0500
To: ifette@google.com
Cc: public-wsc-wg@w3.org
Message-ID: <OFE8BA0F47.E9EB5303-ON852573B7.005E57B0-852573B7.005F4C34@LocalDomain>
Well I could have sworn I typed in alternate text during our meeting, but 
I can't find it in the minutes or the IRC log. I'll see if I can recreate 
an alternate version that addresses the concerns. Some of this may be too 
weak, or too strong, for some tastes, but it gets at the original spirit 
will addressing the issues raised. btw, I don't think just because 
something is not a current problem it should not be part of a standard. 
Standards are often based on current best practice. That is in fact a 
strong foundation to build a standard on. 


Web user agents MUST inform the user and request consent when web content 
attempts to install software outside of the browser environment, using 
browser mechanisms and technology that are explicitly provided for such 
installations. Web user agents SHOULD NOT provide features which can be 
used by web content to install software outside of the browser environment 
without the user's consent. Web user agents MAY provide mechanisms for 
users to pre-consent to a class of software installations. Web user agents 
SHOULD inform the user when web content is installing software outside of 
the browser environment that is covered by a pre-consent. 

Web user agents SHOULD inform the user when web content attempts to 
execute software outside of the browser environment. It MAY also request 
user consent. 


          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect




From:
"Ian Fette" <ifette@google.com>
To:
michael.mccormick@wellsfargo.com
Cc:
public-wsc-wg@w3.org
Date:
12/19/2007 08:08 PM
Subject:
Re: ISSUE-131 (Code outside browser): Executing code outside of browser in 
8.3.2.3 is vague / scary [All]



As per our 12/12 meeting, I am proposing removing the third bullet under 
8.3.2 - "Web user agents MUST inform the user and request consent when web 
content attempts to install or execute software outside of the browser 
environment". There are many things that make this hard / impossible to 
get right, and even harder to actually get the intended effect without 
being totally annoying. 

For instance, when you load a PDF, Acrobat Reader is launched outside of 
the browser context. Yet I don't really want a dialog box every time I 
browse to a PDF, I just want to see the PDF. Same thing when I click on a 
mailto: link - it's going to get shell executed, and software (my MUA) is 
going to run outside the browser. Or if there's an embedded video that 
causes the windows mediaplayer plugin to do some funky COM stuff outside 
of the browser - again, I really don't want dialog boxes here. I 
understand the intent and think it's probably a good one, but it's really 
hard to actually get it right in words, and I think it's something that 
browsers are doing pretty well anyways. 

I'm not going to rehash everything in this email, please see the 12/12 
notes for a full review of the conversation ( 
http://www.w3.org/2007/12/12-wsc-minutes.html ). In that meeting, I said I 
would email back on this issue and propose that the best way to resolve it 
is to simply remove the bullet point, unless anyone feels strongly about 
it. If you do feel strongly about it, then please come up with some 
alternate text. 

Thanks,
Ian

On Nov 6, 2007 8:36 AM, <michael.mccormick@wellsfargo.com> wrote:

The "install" part is very important, but the "execute" part is a rabbit
hole we probably don't want to go down.

For example, when I point IE at a resource of MIME type ms/xls, Excel
launches outside the browser as a helper app.  It would be annoying if I
got constant warning messages every time I pull up a XLS, PDF, etc.
Constant warnings = ignored warnings.

I do want to be warned when a page tries to install a plugin like 
Acroread, but not every time that plugin runs.  Same for helpers,
toolbars, extensions, ActiveX controls, etc.

-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Web Security Context Working Group Issue Tracker
Sent: Tuesday, November 06, 2007 9:50 AM 
To: public-wsc-wg@w3.org
Subject: ISSUE-131 (Code outside browser): Executing code outside of
browser in 8.3.2.3 is vague / scary [All] 



ISSUE-131 (Code outside browser): Executing code outside of browser in
8.3.2.3 is vague / scary [All]

http://www.w3.org/2006/WSC/track/issues/

Raised by: Ian Fette
On product: All

8.3.2.3 says "Web user agents MUST inform the user and request consent
when web content attempts to install or execute software outside of the
browser environment."

This is a bit vague and probably not what we intend. For instance, when
you navigate to a PDF on a browser using Acrobat Reader w/NPAPI plugin, 
what happens is that there is a plugin running in the browser, and then
Acrobat Reader launches in the browser, and there's a ton of IPC between
the plugin and Reader running in the background (which is doing the 
heavy lifting). This is executing software outside of the browser
environment, yet I don't think this is really what we were intending to
warn users about. At least, I will scream if I get a popup every time I 
navigate to a PDF. Seriously.
Received on Thursday, 20 December 2007 17:21:12 UTC