Re: ACTION-356: picture-in-picture attacks

On 2008-01-17 10:36:59 -0800, Ian Fette wrote:

> I am not sure I fully understand the new text. "The editor bar MUST be
> displayed..." - is this saying it must be omnipresent, or that when it is
> displayed after being invoked by the user, it should have the customized
> theme etc?

I suspect the latter; however, that's actually old text.  Tyler?

> On Jan 17, 2008 9:54 AM, Thomas Roessler <tlr@w3.org> wrote:
> 
> >
> > I've moved most of the Wiki text about picture-in-picture attacks
> > [1] into the current editor's draft:
> >
> >  Many graphical user agents are vulnerable to picture-in-picture
> >  attacks: Graphic and script elements within an HTML page are used
> >  to simulate the look and feel of browser chrome. The attacker's
> >  goal is to recreate a convincing mockup of the browser chrome
> >  entirely within the content page, in order to provide (false)
> >  indicators of security to the user.
> >
> >  In these user agents, the editor bar MUST be displayed using a
> >  theme customized to the user. The user selects this theme at
> >  browser installation time and it remains forever the same. The
> >  icon for the Contacts button MUST also be selected by the user at
> >  installation time.

Maybe this is better:

     In these user agents, the editor bar MUST be presented using a
     theme (visual, audible, or otherwise) customized by the user.

... leaving out the other parts.  In particular, it's not clear to
me what benefit it has to not let the user change the theme, as
seems to be implied by the current text.

Also, "icon for the Contacts button" is a detail of one particular
possible implementation.

And there might be no useful concept of "installation time" for some
classes of deployments.

> >  --
> > http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#safebar-picture-in-picture
> >
> > 1. http://www.w3.org/2006/WSC/wiki/NoteTestCases
> >
> > I believe that ISSUE-126 can be closed.
> >
> > Regards,
> > --
> > Thomas Roessler, W3C  <tlr@w3.org>
> >
> >

-- 
Thomas Roessler, W3C  <tlr@w3.org>

Received on Friday, 18 January 2008 11:20:48 UTC