Best practice

An idea that has no evidence to support its merits and that probably doesn't work, but that you can attribute to someone else when things go horribly, horribly wrong.


The visible control surface of an application. They include graphical elements (widgets) that may be used to interact with the program. Common widgets are: windows, buttons, menus, and scroll bars. Larger widgets, such as windows, usually provide a frame or container for the main presentation content such as a web page, email message or drawing. Smaller ones usually act as a user-input tool.

While the term is used to describe control surfaces of both client-side applications (such as a web client) and web applications (which are contained within the control surface of a web browser), in this document, chrome will refer only to the control surface of the web-client.

Dialog box

A window in which resides a button labeled "OK" and a variety of text and other content that users ignore.

Dynamic Content

Page content that is not Static Content (see: Static Content). The rendering of a web page composed of only static content has a completion point, after which the rendered view remains constant until the user chooses to navigate to another web page. Dynamic content is anything that changes this interaction or is given additional access to user agent functions.


See Wikipedia's definition.

A favicon (short for "favorites icon"), also known as a page icon or an urlicon, is an icon associated with a particular website or webpage. A web designer can create such an icon, and many recent web browsers can then make use of them. Browsers that support favicons may display them in the browser's URL bar, next to the site's name in lists of bookmarks, and next to the page's title in a tabbed document interface.


<a "#Link">Maybe it's time for Ritalin?</a>

Location Bar

A widget in a web user agent which displays (and often allows input of) the textual location (entered as a URL) of the resource being requested (or displayed - after the response is received). Also known as the URL bar. (See: Wikipedia's definition for a more complete description including screen-shots of some examples).

Padlock icon

Like Maggie Simpson, it is also small, yellow, and its absence invariably goes unnoticed.

Primary Security Context Indicators

SCI that is presented to the user in the course of their primary task.

Reputation service

The deus ex machina of anti-spam and anti-phishing systems. (Credit for this definition goes to Allan Friedman.)


Robustness is the ability to continue to function properly in the presence of adverse events

Because a user agent is a component in a complex coupled system, WSC defines robustness as having the following characteristics. First is the ability for the user agent to retain the designer's intended functionality, specifically retaining the user’s security posture when unexpected security events are triggered. The second aspect of robustness is enhancing existing user agent information assurance components with application tools and interfaces that provide multiple layers of trust that help the user to make informed security decisions. The third aspect of robustness is the integration of security events into the user's work flow providing consistent presentation of security details, enabling the user to go about required tasks confident of security decisions being made.

Secondary Security Context Indicators

SCI that is available to the user in addition to the primary SCI, but requiring user interaction that is not part of their primary task.

Security Context Information

A phrase used throughout the WSC Charter. Security information made available to the user through a web user agent. Security Context Information (SCI) "enable[s] users to come to a better understanding of the context they are operating in when making trust decisions in the Web".

Security Context Information Robustness

Techniques to make the SCI (and chrome) robust against attacks (including spoofing). These include techniques to disallow content based windows that look like chrome, as well as techniques that make SCI hard to guess.

Static Content

Page content for which the rendering of this content has a completion point. (The rendering of a web page composed of only static content has a completion point, after which the rendered view remains constant until the user chooses to navigate to another web page. Dynamic content is anything that changes this interaction or is given additional access to user agent functions.)

URL bar

See Location Bar.

User agent

Also "web user agent"

A user agent is software to access Web content, including desktop graphical browsers, text browsers, voice browsers, mobile phones, multimedia players, plug-ins, and some software assistive technologies used in conjunction with browsers such as screen readers, screen magnifiers, and voice recognition software. [See W3C Web Content Accessibility Guidelines]

User separation

Why children scream when someone other than a parent picks them up.

(Stuart should have probably just eliminated this item, but maybe someone else knows what was intended by it)

Web Browser

A web client designed as an interface between a user and the web.

Web Client

A software program that issues requests to web servers.

Web Page

A web page consists of content from a master document and zero or more descendant documents. Descendant documents are fetched as specified by the master document or by other descendant documents which have already been fetched. The documents may include.

  1. Content to be rendered (Most master documents fit into this category)
  2. Style sheets that affect how content is rendered
  3. Scripts that may modify the contents of page elements. (ActiveX or XUL master documents are examples of how such documents might be master documents)

Today's web browsers display the address of the master document (not descendant documents) in the location bar visible to the user.

Users may conceive of pages as the output of the rendering process--what they see on their screen--rather than as the collection of documents that are the input to the process. However, such a definition cannot be reconciled with the fact that the same page may be rendered differently by two different browsers. Such a definition would also fail to reconcile how two pages that render exactly alike may be different underneath, and have different security properties.