[whatwg] Security risks of persistent background content (Re: Installed Apps)
Maciej Stachowiak
mjs at apple.com
Wed Jul 29 16:09:47 PDT 2009
On Jul 29, 2009, at 3:05 PM, Robert O'Callahan wrote:
> What happened to my idea for browsers to have a special window
> containing tabs for "background apps", which save screen real estate
> by just showing an icon and title (and a URL or domain?) and no
> actual tab content? You might modify the UI so that quitting the
> normal browser leaves this window open, possibly as a separate OS
> app. Seems to me that this would provide almost exactly the desired
> functionality but without introducing new security concerns and
> without requiring a trust decision.
I haven't thought through this option in sufficient detail, but I'm
not sure that it resolves all of the risks I mentioned or the risks of
content outliving the page or the browser in general. Here's some
questions that come immediately to mind:
1) What exactly does the window look like? Just a normal tabbed
browser window with a window in each tab? I think users would find
that confusing.
2) What happens if users close the magic window (which likely they
will, if it's not obvious what it's for and just seems to be wasting
real estate)? Are all the background tasks killed or do they secretly
keep running? Either seems like a bad option.
3) In what way are users alerted to a new item being opened in the
magic window - is there a UI for this that can avoid being either too
distracting or too subtle?
4) Is it really ok for web content to survive browser quit and
possibly even reboot just because there is a visible indicator on
screen, without some explicit heavyweight form of user opt-in (like
Prism)? I'm not sure it is. Especially if the magic window has tabs,
if a number of popular web apps start using it, then users will start
to blank it out and be vulnerable to the same kinds of risks I
described (use for a botnet, waiting for exploits to be found, etc).
Given the risks I cited for the original form of the feature, I think
we need to keep in mind that a lot of the security risks are subtle
and insidious, and we need to be really cautious with any feature of
this type.
Regards,
Maciej
More information about the whatwg
mailing list