Secure chrome

I was a little surprised to learn this morning that our early concept of
secure chrome never made it into the editor's draft.

If it's not too late, perhaps we ought to consider some language along
these lines:

1. User agents MUST reserve some UI chrome that is protected for
agent-only use; i.e. areas fully controlled by the core agent software;
not modifiable by scripts, controls, or other content based mechanisms;
nor via APIs published to third party plug-in or helpers.  (But see
NOTE.)

2. All agent-generated identity and security indicators MUST appear in
protected chrome areas.

3. User agents SHOULD provide a means to visually identify which areas
of chrome are protected (e.g., background color).

4. User agents SHOULD display protected chrome regardless of display
mode - full screen, custom skin, etc.

NOTE: It is understood of course that chrome cannot be protected against
certain UI spoofing attacks such as picture-in-picture.


> Michael McCormick, CISSP
> Lead Security Architect, Information Security Technologies
> Wells Fargo Bank
> "THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY THOSE OF WELLS
> FARGO"
> This message may contain confidential and/or privileged information.
> If you are not the addressee or authorized to receive this for the
> addressee, you must not use, copy, disclose, or take any action based
> on this message or any information herein.  If you have received this
> message in error, please advise the sender immediately by reply e-mail
> and delete this message.  Thank you for your cooperation.
>