- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 19 Sep 2007 11:45:07 +0300
- To: Johnathan Nightingale <johnath@mozilla.com>
- Cc: W3C WSC W3C WSC Public <public-wsc-wg@w3.org>
On 2007-09-18 21:06:00 -0400, Johnathan Nightingale wrote: > It's late, but I've taken a crack at putting the existing Mozilla > robustness practices into rec track document language. The > original wiki page is here: > > http://www.w3.org/2006/WSC/wiki/NoteMozillaCurrentPractice > Proposed: > > That the placeholder content in section 7.3 be replaced with: Excellent, thanks! This looks lik a good starting point. I wonder if it makes sense to break this material down in some more detail, and map it to individual DOM APIs (however, we shouldn't limit it to these); it's probably worth discussing this general laundry list with the WebAPIs WG. I'll probably have more comments; however, from a quick skim through this material, I think I can wait with them till we've got an FPWD out. > 7.3 APIs exposed to Web content > > User agents commonly allow web content to perform certain manipulations of > agent UI and functionality (opening new windows, resizing existing windows, > etc.) to permit customization of the user experience. These manipulations > must be properly constrained to prevent malicious sites from concealing or > obscuring important elements of the browser interface, or deceiving the user > into performing dangerous acts. This section includes requirements and > techniques to address known attacks of this kind. > > 7.3.1 Requirements (Normative) > > * Web user agents MUST prevent web content from obscuring, hiding, or > disabling security UI. > * Web user agents MUST NOT expose programming interfaces which permit > installation of software, or execution of privileged code without user > intervention. > > 7.3.2 Techniques (Normative) > > * Web user agents SHOULD restrict window sizing and moving operations to the > visible desktop, where applicable. This prevents attacks wherein browser > chrome is obscured by moving it off the edges of the visible screen. > * Web user agents SHOULD NOT allow web content to open new windows with the > browser's security UI hidden. Allowing this operation facilitates > picture-in-picture attacks, where artificial chrome (usually indicating a > positive security state) is supplied by the web content in place of the > hidden UI. > * Web user agents MUST inform the user and request consent when web content > attempts to install or execute software outside of the browser environment. > ** When informing users of this event, web user agents MUST employ a user > interface which prevents immediate click through (e.g. with a briefly > disabled OK button.) This prevents click-through and "whack a mole" attacks > where users are encouraged by nuisance elements to continually click in a > given location. > * Web user agents SHOULD use difficult-to-spoof UI elements that cross the > chrome-content border where appropriate. > ** Web user agents MUST prevent web content from overlaying chrome. > * Web user agents MAY restrict the opening of pop-up windows from web > content, particularly those not initiated by user action. Creating > excessive numbers of new popup windows is a technique that can be used to > condition users to rapidly dismissing dialogs. This can be employed in > "whack-a-mole" attacks as mentioned above. > ** Web user agents which offer this restriction SHOULD offer a way to extend > permission to individual trusted sites. Failing to do so encourages users > who desire the functionality on certain sites to disable the feature > universally. > > I also propose that I buy Mez a beer to apologize for taking so long. > > Cheers, > > J > > --- > Johnathan Nightingale > Human Shield > johnath@mozilla.com > > > > > -- Thomas Roessler, W3C <tlr@w3.org>
Received on Wednesday, 19 September 2007 08:45:15 UTC