ACTION-248: Get Mozilla Robustness Practices into FPWD from Johnathan Nightingale on 2007-09-19 (public-wsc-wg@w3.org from September 2007)

From: Johnathan Nightingale <johnath@mozilla.com>
Date: Tue, 18 Sep 2007 21:06:00 -0400
To: W3C WSC W3C WSC Public <public-wsc-wg@w3.org>
Message-Id: <C05FF752-9595-4DAF-8AE8-3571201AA6D1@mozilla.com>

Hey folks,

It's late, but I've taken a crack at putting the existing Mozilla  
robustness practices into rec track document language.  The original  
wiki page is here:

http://www.w3.org/2006/WSC/wiki/NoteMozillaCurrentPractice

Proposed:

That the placeholder content in section 7.3 be replaced with:

7.3  APIs exposed to Web content

User agents commonly allow web content to perform certain  
manipulations of agent UI and functionality (opening new windows,  
resizing existing windows, etc.) to permit customization of the user  
experience.  These manipulations must be properly constrained to  
prevent malicious sites from concealing or obscuring important  
elements of the browser interface, or deceiving the user into  
performing dangerous acts.  This section includes requirements and  
techniques to address known attacks of this kind.

7.3.1  Requirements (Normative)

* Web user agents MUST prevent web content from obscuring, hiding, or  
disabling security UI.
* Web user agents MUST NOT expose programming interfaces which permit  
installation of software, or execution of privileged code without  
user intervention.

7.3.2   Techniques (Normative)

* Web user agents SHOULD restrict window sizing and moving operations  
to the visible desktop, where applicable.  This prevents attacks  
wherein browser chrome is obscured by moving it off the edges of the  
visible screen.
* Web user agents SHOULD NOT allow web content to open new windows  
with the browser's security UI hidden.  Allowing this operation  
facilitates picture-in-picture attacks, where artificial chrome  
(usually indicating a positive security state) is supplied by the web  
content in place of the hidden UI.
* Web user agents MUST inform the user and request consent when web  
content attempts to install or execute software outside of the  
browser environment.
** When informing users of this event, web user agents MUST employ a  
user interface which prevents immediate click through (e.g. with a  
briefly disabled OK button.)  This prevents click-through and "whack  
a mole" attacks where users are encouraged by nuisance elements to  
continually click in a given location.
* Web user agents SHOULD use difficult-to-spoof UI elements that  
cross the chrome-content border where appropriate.
** Web user agents MUST prevent web content from overlaying chrome.
* Web user agents MAY restrict the opening of pop-up windows from web  
content, particularly those not initiated by user action.  Creating  
excessive numbers of new popup windows is a technique that can be  
used to condition users to rapidly dismissing dialogs.  This can be  
employed in "whack-a-mole" attacks as mentioned above.
** Web user agents which offer this restriction SHOULD offer a way to  
extend permission to individual trusted sites.  Failing to do so  
encourages users who desire the functionality on certain sites to  
disable the feature universally.

I also propose that I buy Mez a beer to apologize for taking so long.

Cheers,

J

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com

Received on Wednesday, 19 September 2007 01:06:17 UTC