Re: ISSUE-131 (Code outside browser): Executing code outside of browser in 8.3.2.3 is vague / scary [All] from Ian Fette on 2007-12-20 (public-wsc-wg@w3.org from December 2007)

From: Ian Fette <ifette@google.com>
Date: Thu, 20 Dec 2007 09:36:13 -0800
To: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>
Cc: public-wsc-wg@w3.org
Message-ID: <bbeaa26f0712200936i492eb464ra41eef457d2f7eae@mail.gmail.com>
Hi Mez,

Thanks for your work to provide alternate text. I like your first paragraph,
the only thing I might change is to say that "web user agents MAY (instead
of SHOULD) inform the user when web content is installing... that is covered
by a pre-consent". I.e. I may be fine allowing automatic installation of
code signed by Microsoft, as happens half of the time I visit windows update
in my virtual machine. I don't know that I really want to see notifications
if I've already said this is OK.  I don't think this is a major concern for
me, it's just something I'd like us to consider.

The second paragraph though brings up the same concerns I had with the
original text. We're saying that when you browse to a PDF (or a page with a
PDF embedded, i.e. a frameset where one of the frames is a PDF, or any other
wacky embed tags that IE might support), I really don't want to see "Acrobat
Reader is launching in the background. Yes/No". That, and the fact that the
browser might have no idea. It just loads the acroread plugin, and then the
plugin can start issuing whatever calls it wants, which may result in new
processes (i.e. AcroRd32.exe) being launched outside the browser context.
Thus, I worry that the 2nd paragraph is going to be either annoying at best,
impossible to implement at worst. I would therefore say "keep paragraph 1,
drop paragraph 2" of your new text...

-Ian

On Dec 20, 2007 9:20 AM, Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
wrote:

>
> Well I could have sworn I typed in alternate text during our meeting, but
> I can't find it in the minutes or the IRC log. I'll see if I can recreate an
> alternate version that addresses the concerns. Some of this may be too weak,
> or too strong, for some tastes, but it gets at the original spirit will
> addressing the issues raised. btw, I don't think just because something is
> not a current problem it should not be part of a standard. Standards are
> often based on current best practice. That is in fact a strong foundation to
> build a standard on.
>
>
> Web user agents MUST inform the user and request consent when web content
> attempts to install software outside of the browser environment, using
> browser mechanisms and technology that are explicitly provided for such
> installations. Web user agents SHOULD NOT provide features which can be used
> by web content to install software outside of the browser environment
> without the user's consent. Web user agents MAY provide mechanisms for users
> to pre-consent to a class of software installations. Web user agents SHOULD
> inform the user when web content is installing software outside of the
> browser environment that is covered by a pre-consent.
>
> Web user agents SHOULD inform the user when web content attempts to
> execute software outside of the browser environment. It MAY also request
> user consent.
>
>
>           Mez
>
> Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
> Lotus/WPLC Security Strategy and Patent Innovation Architect
>
>
>
> From:"Ian Fette" <ifette@google.com>To:michael.mccormick@wellsfargo.comCc:
> public-wsc-wg@w3.org
> Date:12/19/2007 08:08 PMSubject:Re: ISSUE-131 (Code outside browser):
> Executing code outside of browser in 8.3.2.3 is vague / scary [All]
> ------------------------------
>
>
>
> As per our 12/12 meeting, I am proposing removing the third bullet under
> 8.3.2 - "Web user agents MUST inform the user and request consent when web
> content attempts to install or execute software outside of the browser
> environment". There are many things that make this hard / impossible to get
> right, and even harder to actually get the intended effect without being
> totally annoying.
>
> For instance, when you load a PDF, Acrobat Reader is launched outside of
> the browser context. Yet I don't really want a dialog box every time I
> browse to a PDF, I just want to see the PDF. Same thing when I click on a
> mailto: link - it's going to get shell executed, and software (my MUA) is
> going to run outside the browser. Or if there's an embedded video that
> causes the windows mediaplayer plugin to do some funky COM stuff outside of
> the browser - again, I really don't want dialog boxes here. I understand the
> intent and think it's probably a good one, but it's really hard to actually
> get it right in words, and I think it's something that browsers are doing
> pretty well anyways.
>
> I'm not going to rehash everything in this email, please see the 12/12
> notes for a full review of the conversation ( *http://www.w3.org/2007/12/12-wsc-minutes.html
> * <http://www.w3.org/2007/12/12-wsc-minutes.html>). In that meeting, I
> said I would email back on this issue and propose that the best way to
> resolve it is to simply remove the bullet point, unless anyone feels
> strongly about it. If you do feel strongly about it, then please come up
> with some alternate text.
>
> Thanks,
> Ian
>
> On Nov 6, 2007 8:36 AM, <*michael.mccormick@wellsfargo.com*<michael.mccormick@wellsfargo.com>>
> wrote:
>
> The "install" part is very important, but the "execute" part is a rabbit
> hole we probably don't want to go down.
>
> For example, when I point IE at a resource of MIME type ms/xls, Excel
> launches outside the browser as a helper app.  It would be annoying if I
> got constant warning messages every time I pull up a XLS, PDF, etc.
> Constant warnings = ignored warnings.
>
> I do want to be warned when a page tries to install a plugin like
> Acroread, but not every time that plugin runs.  Same for helpers,
> toolbars, extensions, ActiveX controls, etc.
>
> -----Original Message-----
> From: *public-wsc-wg-request@w3.org* <public-wsc-wg-request@w3.org>
> [mailto:*public-wsc-wg-request@w3.org* <public-wsc-wg-request@w3.org>]
> On Behalf Of Web Security Context Working Group Issue Tracker
> Sent: Tuesday, November 06, 2007 9:50 AM
> To: *public-wsc-wg@w3.org* <public-wsc-wg@w3.org>
>
> Subject: ISSUE-131 (Code outside browser): Executing code outside of
> browser in *8.3.2.3* <http://8.3.2.3/>is vague / scary [All]
>
>
>
> ISSUE-131 (Code outside browser): Executing code outside of browser in
> *
> **8.3.2.3* <http://8.3.2.3/>is vague / scary [All]
> *
> **http://www.w3.org/2006/WSC/track/issues/*<http://www.w3.org/2006/WSC/track/issues/>
>
> Raised by: Ian Fette
> On product: All
> *
> *
> *8.3.2.3* <http://8.3.2.3/>says "Web user agents MUST inform the user and
> request consent
> when web content attempts to install or execute software outside of the
> browser environment."
>
> This is a bit vague and probably not what we intend. For instance, when
> you navigate to a PDF on a browser using Acrobat Reader w/NPAPI plugin,
> what happens is that there is a plugin running in the browser, and then
> Acrobat Reader launches in the browser, and there's a ton of IPC between
> the plugin and Reader running in the background (which is doing the
> heavy lifting). This is executing software outside of the browser
> environment, yet I don't think this is really what we were intending to
> warn users about. At least, I will scream if I get a popup every time I
> navigate to a PDF. Seriously.
>
>
>
>
>
>
>
>
>
Received on Thursday, 20 December 2007 17:36:33 UTC