- From: Mary Ellen Zurko <mzurko@us.ibm.com>
- Date: Tue, 27 Oct 2009 07:51:42 -0400
- To: public-wsc-wg@w3.org
- Message-ID: <OFC78178E7.A7D1717C-ON8525765C.004106BF-8525765C.00412924@LocalDomain>
Archive problem; it's too big, so it's not in the public-usable-authentication archive. Not sure if anyone is working on it. I'd like to discuss at the meeting tomorrow, to see what, if anything, we missed discussing the first go round of Adam's comments. Philosophically, I fear some of it might be a conflict between standards the enable, and standards that proscribe. But I want to check in with others to see what they think. Mez ----- Forwarded by Mary Ellen Zurko/Westford/IBM on 10/27/2009 07:50 AM ----- From: Adam Barth <w3c@adambarth.com> To: Mary Ellen Zurko/Westford/IBM@Lotus Cc: public-usable-authentication@w3.org, public-webapps <public-webapps@w3.org>, Thomas Roessler <tlr@w3.org>, Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com> Date: 10/24/2009 01:55 PM Subject: Re: Re: Request for Reviewers: Section 7.4 of Web Security Context: User Interface Guidelines; deadline Sep 24 ( LC-2255) It's too bad you didn't CC me on the discussion because I think you misunderstood several of my points. On Fri, Oct 23, 2009 at 1:33 PM, <mzurko@us.ibm.com> wrote: >> > Web user agents MUST prevent web content from obscuring, hiding, or >> disabling security user interfaces. >> >> This is impossible in a multi-window web user agent in an overlapping >> window manager (e.g., every major browser on every major >> general-purpose operating system). > > We're not talking about pop ups in the context of "MUST prevent web > content from obscuring, hiding, or disabling security user interfaces." Then what are you taking about? I've attached two screen shots of this requirement being violated. First, a <select> control is allowed to extend into the browser's address bar. Second, web content from Google is obscuring the EV indicator from Bank of America. I don't doubt you had something different in mind when you wrote that requirement, but that requirement, as written, is basically impossible for browser vendors to comply with. I recommend either removing the requirement or writing what you actually mean. >> > Web user agents MUST NOT allow web content to open new windows with >> the browser's security UI hidden. >> >> This precludes innovative solutions to the full-screen video problem, >> like Flash's disabling of the keyboard to prevent password theft. > > Innovative full screen solutions are covered in the interaction between > section 6.1.1 and section 7.1. Section 7.1 says the user agent cannot open > windows without security chrome, however section 6.1.1 specifically allows > for this when going into "presentation mode". The Flash behavior described > falls into this category. Then the requirements are contradictory. I recommend revising this requirement not to contradict the other parts of the spec. Also, Firefox, Safari, and Google Chrome violate this requirement by allowing user to "install" web applications. Installed web applications are allowed to disable the browser's security user interface. In general, this requirement is narrow-minded and not future-looking. I suspect browser vendors will simply ignore it. >> > Web user agents MUST NOT expose programming interfaces which permit >> installation of software without a user intervention. >> >> What does it mean to install software? > > Installing software means downloading it for later execution. You've missed the point. As desktop applications and web applications converge, these concepts become meaningless. What does it mean to "download" or "execute" something? Is AppCache covered by this requirement? Surely that's "downloading" the cached bits of the web application for later "execution" (i.e., use of the web application). What if a user agent keeps a list of the 10 most recently used web applications and stores them in the start menu as if they were native applications? This would seem to violate this requirement yet seems perfectly sensible. In general, this requirement is narrow-minded and not future-looking. I suspect browser vendors will simply ignore it. >> > Web user agents MUST inform the user and request consent when web >> content attempts to install software outside of the browser >> environment. >> >> Why can't the user agent simply ignore these attempts? > > The requirement to notify the user is if the user agent is going to do the > install and not just ignore the attempt. That's not what the requirement says: "when web content attempts to install". I recommend revising this requirement to say what you mean. Actually, I don't think the concept of "installing software" makes any sense. The concept isn't rigorously defined in the spec, and I don't think it is possible to give a rigorous future-looking definition. > We are changing 7.4.3 to: >> User agents often include features that enable Web content to update >> the user's bookmark file, e.g. through a JavaScript API. If >> permitted unchecked, these features can serve to confuse users by, >> e.g., placing a bookmark that goes by the same name as the user's >> bank, but points to an attacker's site. >> >> Web user agents MUST NOT permit Web content to add bookmarks without >> explicit user consent. >> >> Web user agents MUST NOT permit Web content to add URIs to the >> user's bookmark collection that do not match the URI of the page >> that the user currently interacts with. What is a bookmark file? For example, are the sites featured on the new tab page in Opera or Google Chrome part of the bookmark file? Is there a way to determine this without looking through the user's file system for a file named "bookmarks"? The sites on the new tab page were added by web content without explicit user consent. Does that violate this requirement? In general, this requires are not rigorously defined. I suspect the motivation behind adding them to the spec is to blacklist a goofy API in Internet Explorer. However, I don't think this is the right forum to complain about Internet Explorer mis-features. Put another way, shouldn't we have a requirement that web content should not be allowed to change the default starting web page without explicit user consent? That seems just as sensible as the bookmark requirement. What about adding or removing buttons from the primary navigation toolbar? >> > Web user agents which offer this restriction SHOULD offer a way to >> extend permission to individual trusted sites. Failing to do so >> encourages users who desire the functionality on certain sites to >> disable the feature universally. >> >> What if the user agent doesn't expose a user interface to disable the >> feature universally? > > Browser vendor experience indicates that if the user agent provides > annoying seemingly useless dialogs and do not provide the user with a way > to disable them universally, users switch to another browser. Is this a guide to building a popular browser? Browsers offer lots of features without ways to universally disable them. For example, most browsers do not allow users to universally disable the "alert" API or the ability to draw the letter "e". The justification for this requirement does not make sense because it pre-supposes that the browser gives the users certain alternatives. Can my browser ignore the requirement if it does not offer the "dangerous" alternatives? Saying that my browser will be unpopular doesn't answer this question. Adam
Attachments
- application/octet-stream attachment: bofa.png
- application/octet-stream attachment: google-bofa.png
Received on Tuesday, 27 October 2009 11:52:24 UTC