ISSUE-232: Clarifications for 7.4.1 (Obscuring or disabling Security User Interfaces) [wsc-xit] from Web Security Context Working Group Issue Tracker on 2009-09-21 (public-wsc-wg@w3.org from September 2009)

From: Web Security Context Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Mon, 21 Sep 2009 11:28:46 +0000 (GMT)
To: public-wsc-wg@w3.org
Message-Id: <20090921112846.9C33A4DD6C@crusher.w3.org>

ISSUE-232: Clarifications for 7.4.1 (Obscuring or disabling Security User Interfaces) [wsc-xit]

http://www.w3.org/2006/WSC/track/issues/232

Raised by: Thomas Roessler
On product: wsc-xit

>From LC-2255:

> Web user agents MUST prevent web content from obscuring, hiding, or disabling security user interfaces.

This is impossible in a multi-window web user agent in an overlapping
window manager (e.g., every major browser on every major
general-purpose operating system).

> Web user agents MUST NOT allow web content to open new windows with the browser's security UI hidden.

This precludes innovative solutions to the full-screen video problem,
like Flash's disabling of the keyboard to prevent password theft.

> Web user agents MUST prevent web content from overlaying chrome. User interactions that are perceived to deal with browser chrome must not be detectable for Web content.

This is generally not the case for keyboard user interactions.  In
typical user agents, keyboard events are sent to the content area
before being processed by browser chrome.

Received on Monday, 21 September 2009 11:28:54 UTC