- From: Mary Ellen Zurko <mzurko@us.ibm.com>
- Date: Wed, 11 Nov 2009 11:34:57 -0500
- To: "Joe Steele <steele" <steele@adobe.com>
- Cc: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
- Message-ID: <OF33B0BF46.34FC5C1D-ON8525766B.005AE732-8525766B.005AFCEE@LocalDomain>
We had a 50/50 split during the meeting today. The current count on the straw poll is: A - Joe S, Jan Vidar K B - Mez, Anil C - Yngve Looking for other votes (or changes in votes). I'd like to make the call this Friday. Please give an opinion if you haven't already. From: Joe Steele <steele@adobe.com> To: Mary Ellen Zurko/Westford/IBM@Lotus Cc: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org> Date: 11/10/2009 05:24 PM Subject: Re: obscuring SCI I still say MUST. I looked at the pictures provide and I would argue that: 1. the case where the second browser instance obscures the indicator is not something we should cover. Maybe we could change the text to better distinguish between to browser windows and browser tabs, but I am not convinced of that. I don?t have a suggestion for better text. 2. the case where the select box covers the security indicator is bad. The select should be clipped within the browser frame like all the other content. I agree this is fairly benign but I have seen instances where there are redraw problems and bits from the selector are left obscuring browser chrome. It?s a slippery slope. Joe On 11/9/09 12:01 PM, "Mary Ellen Zurko" <mzurko@us.ibm.com> wrote: Straw poll: A) Web user agents < http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#def-user-agent> MUST prevent web content from obscuring, hiding, or disabling user interfaces that display security context information without user interactions. B) Web user agents < http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#def-user-agent> SHOULD prevent web content from obscuring, hiding, or disabling user interfaces that display security context information. C) Abstain I vote B. I still don't like my rewording. We'll finish with this poll at the meeting this week. From:Mary Ellen Zurko/Westford/IBM@Lotus To:public-wsc-wg@w3.org Date:10/30/2009 05:05 PM Subject:obscuring SCI Sent by:public-wsc-wg-request@w3.org In his latest email, Adam Barth sent an excellent example of a browser that would claim compliance (Chrome) but provides a way for content to obscure SCI when the user interacts with that content (first picture): http://lists.w3.org/Archives/Public/public-wsc-wg/2009Oct/0024.html < http://lists.w3.org/Archives/Public/public-wsc-wg/2009Oct/0024.html> The part of the spec that this might violate is 7.4.1, first paragraph: Web user agents < http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#def-user-agent> MUST prevent web content from obscuring, hiding, or disabling user interfaces that display security context information. In the meeting, we discussed this. There were two schools of thought. One was the simple downgrade from MUST to SHOULD. Another was that the example was clearly not a usable security problem, so why, and was that something we could extend this part of the spec with. The notion was that because the user must interact a specific way with the content to make this happen, that the content could not do it on its own, it was still within the spirit of our intention, and we should find some way to say that instead. I volunteered to take a crack at it. So the second alternative would be to change the text in this fashion: Web user agents < http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#def-user-agent> MUST prevent web content from obscuring, hiding, or disabling user interfaces that display security context information without user interactions. I can't say I like this. But I can't come up with anything better. So thoughts? Better proposal? Or is SHOULD the best we can do?
Received on Wednesday, 11 November 2009 16:34:37 UTC