obscuring SCI from Mary Ellen Zurko on 2009-10-30 (public-wsc-wg@w3.org from October 2009)

From: Mary Ellen Zurko <mzurko@us.ibm.com>
Date: Fri, 30 Oct 2009 17:04:26 -0400
To: public-wsc-wg@w3.org
Message-ID: <OFAFF65A41.D68AD36A-ON8525765F.007275A5-8525765F.0073C33B@LocalDomain>

In his latest email, Adam Barth sent an excellent example of a browser 
that would claim compliance (Chrome) but provides a way for content to 
obscure SCI when the user interacts with that content (first picture): 
http://lists.w3.org/Archives/Public/public-wsc-wg/2009Oct/0024.html

The part of the spec that this might violate is 7.4.1, first paragraph: 
Web user agents MUST prevent web content from obscuring, hiding, or 
disabling user interfaces that display security context information. 

In the meeting, we discussed this. There were two schools of thought. One 
was the simple downgrade from MUST to SHOULD. Another was that the example 
was clearly not a usable security problem, so why, and was that something 
we could extend this part of the spec with. The notion was that because 
the user must interact a specific way with the content to make this 
happen, that the content could not do it on its own, it was still within 
the spirit of our intention, and we should find some way to say that 
instead. I volunteered to take a crack at it. So the second alternative 
would be to change the text in this fashion:

Web user agents MUST prevent web content from obscuring, hiding, or 
disabling user interfaces that display security context information 
without user interactions. 

I can't say I like this. But I can't come up with anything better. So 
thoughts? Better proposal? Or is SHOULD the best we can do?

Received on Friday, 30 October 2009 21:05:14 UTC