ISSUE-230: Clarifications for 7.4.2 (software installation) [wsc-xit] from Web Security Context Working Group Issue Tracker on 2009-09-21 (public-wsc-wg@w3.org from September 2009)

From: Web Security Context Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Mon, 21 Sep 2009 11:25:26 +0000 (GMT)
To: public-wsc-wg@w3.org
Message-Id: <20090921112526.1F2334DD6C@crusher.w3.org>

ISSUE-230: Clarifications for 7.4.2 (software installation) [wsc-xit]

http://www.w3.org/2006/WSC/track/issues/230

Raised by: Thomas Roessler
On product: wsc-xit

>From LC-2257:

7.4.2
What if the installation-related security aspects are controlled by the underlying security policy?
[4], specifically its section 3.2.3 is just FYI.

[4] http://bondi.omtp.org/1.01/security/BONDI_Architecture_and_Security_v1_01.pdf


>From LC-2255:

> Web user agents MUST NOT expose programming interfaces which permit installation of software without a user intervention.

What does it mean to install software?

> Web user agents MUST inform the user and request consent when web content attempts to install software outside of the browser environment.

Why can't the user agent simply ignore these attempts?

> Web user agents MAY inform the user when web content attempts to execute software outside of the agent environment.

What is the agent environment?  For example, does follow a mailto link
fall under this requirement given that seems to execute the user's
default mail software outside the user agents environment

Received on Monday, 21 September 2009 11:25:35 UTC