Fw: Request for Reviewers: Section 7.4 of Web Security Context: User Interface Guidelines; deadline Sep 24 from Mary Ellen Zurko on 2009-10-21 (public-wsc-wg@w3.org from October 2009)

From: Mary Ellen Zurko <mzurko@us.ibm.com>
Date: Wed, 21 Oct 2009 09:58:27 -0400
To: public-wsc-wg@w3.org
Message-ID: <OFD132AAC4.BFC051BF-ON85257656.004CAC05-85257656.004CC2E4@LocalDomain>
I've drafted the response to Adam in the resolution field of:
http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20090226/2255

Please look it over and send any suggestions for improvements. 



I'll be sending all three of these out as early as Friday afternoon, my 
time. 

          Mez


----- Forwarded by Mary Ellen Zurko/Westford/IBM on 10/21/2009 09:57 AM 
-----

From:
Adam Barth <w3c@adambarth.com>
To:
Arthur Barstow <art.barstow@nokia.com>
Cc:
public-webapps <public-webapps@w3.org>, Thomas Roessler <tlr@w3.org>, Mary 
Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>, 
public-usable-authentication@w3.org
Date:
09/19/2009 02:12 AM
Subject:
Re: Request for Reviewers: Section 7.4 of Web Security Context: User 
Interface Guidelines; deadline Sep 24



Comments below.

> Web user agents MUST prevent web content from obscuring, hiding, or 
disabling security user interfaces.

This is impossible in a multi-window web user agent in an overlapping
window manager (e.g., every major browser on every major
general-purpose operating system).

> Web user agents MUST NOT allow web content to open new windows with the 
browser's security UI hidden.

This precludes innovative solutions to the full-screen video problem,
like Flash's disabling of the keyboard to prevent password theft.

> Web user agents MUST prevent web content from overlaying chrome. User 
interactions that are perceived to deal with browser chrome must not be 
detectable for Web content.

This is generally not the case for keyboard user interactions.  In
typical user agents, keyboard events are sent to the content area
before being processed by browser chrome.

> Web user agents MUST NOT expose programming interfaces which permit 
installation of software without a user intervention.

What does it mean to install software?

> Web user agents MUST inform the user and request consent when web 
content attempts to install software outside of the browser environment.

Why can't the user agent simply ignore these attempts?

> Web user agents MAY inform the user when web content attempts to execute 
software outside of the agent environment.

What is the agent environment?  For example, does follow a mailto link
fall under this requirement given that seems to execute the user's
default mail software outside the user agents environment

> Web user agents MUST NOT expose programmatic interfaces that allow 
bookmarking without explicit user consent.

Should the user agent not expose the API without consent, or should
the API not allow bookmarking without consent?

> Web user agents MUST NOT expose programmatic interfaces that allow 
bookmarking an URL that does not match the URL of the page that the user 
currently interacts with.

Why not?

On a more general note, what do you mean by expose a programmatic
interface?  Does that cover browser extension APIs?  Those are
certainly programatic interfaces exposed by the user agent.  Pushing
in another direction, what if the user agent exposed that
functionality via an HTML tag.  Would that be a *programmatic*
interface?

> Web user agents which offer this restriction SHOULD offer a way to 
extend permission to individual trusted sites. Failing to do so encourages 
users who desire the functionality on certain sites to disable the feature 
universally.

What if the user agent doesn't expose a user interface to disable the
feature universally?

Adam


On Thu, Sep 17, 2009 at 11:06 AM, Arthur Barstow <art.barstow@nokia.com> 
wrote:
> The title of the spec is actually "Web Security Context: User Interface
> Guidelines":
>
>  http://www.w3.org/TR/wsc-ui/#robustness-api
>
> On Sep 17, 2009, at 1:57 PM, Barstow Art (Nokia-CIC/Boston) wrote:
>
>> All,
>>
>> The Web Security Context Working Group asked WebApps to review
>> Section 7.4 of their Web Security Context Working Group spec:
>>
>>  <http://www.w3.org/TR/wsc-ui/#robustness-apis>
>>
>> If you have any comments, please send to the following list by
>> September 24 at the latest:
>>
>>  public-usable-authentication@w3.org
>>
>> -Regards, Art Barstow
>>
>>
>>
>
>
>
Received on Wednesday, 21 October 2009 13:58:59 UTC