ISSUE-131 (Code outside browser): Executing code outside of browser in 8.3.2.3 is vague / scary [All] from Web Security Context Working Group Issue Tracker on 2007-11-06 (public-wsc-wg@w3.org from November 2007)

From: Web Security Context Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Tue, 6 Nov 2007 15:50:18 +0000 (GMT)
To: public-wsc-wg@w3.org
Message-Id: <20071106155018.D5470C6DB6@barney.w3.org>

ISSUE-131 (Code outside browser): Executing code outside of browser in 8.3.2.3 is vague / scary [All]

http://www.w3.org/2006/WSC/track/issues/

Raised by: Ian Fette
On product: All

8.3.2.3 says "Web user agents MUST inform the user and request consent when web content attempts to install or execute software outside of the browser environment."

This is a bit vague and probably not what we intend. For instance, when you navigate to a PDF on a browser using Acrobat Reader w/NPAPI plugin, what happens is that there is a plugin running in the browser, and then Acrobat Reader launches in the browser, and there's a ton of IPC between the plugin and Reader running in the background (which is doing the heavy lifting). This is executing software outside of the browser environment, yet I don't think this is really what we were intending to warn users about. At least, I will scream if I get a popup every time I navigate to a PDF. Seriously.

Received on Tuesday, 6 November 2007 15:50:26 UTC