Title
Overriding SCI Displays (shortname: override)
Overview
NoteKDECurrentPractice calls out that the Konqueror browser has started to make certain UI elements permanent (statusbar). @@ I presume this means that it is making areas that users use for trust decisions permanent. In particular, that content from a web site cannot disable or otherwise turn off areas where primary SCI is displayed.
Goals
Related to status-quo, although the current wording of status-quo targets it at security information and its presentation and interpretation, as opposed to its robustness and assurance.
All robustness proposals (attempt to) satisfy the trusted-path goal.
Applicability
Any web user agent that (proactively) presents SCI to the user (or a channel presumed to eventually lead to the user, such as accessiblity aides).
Requirement | Good Practice
Web user agents MUST NOT provide scripting or other capabilities to web site content whose purpose is to disable presentation of security content information to the user.
In order to verify conformance, web user agents MUST document the interfaces they use to present SCI to the user.
Techniques
The most obvious technique is to not provide scripting or other calls to disable the features that present SCI. It is in the spirit of this proposal that any functionality that can be used to disable presentation of SCI unintentionally would be considered a bug in conformance of this proposal, when that was discovered. @@ Is this covered adequately?
Examples (informational)
@@ As a conforming implementation, can anyone cite more specifically what Konqueror did to make the status bar permanent, and what it did before that allowed it not to be?
Attack resistance and limitations
ThreatTrees 2.C.iii
References
NoteKDECurrentPractice