Re: ACTION-356: picture-in-picture attacks

I am not sure I fully understand the new text. "The editor bar MUST be
displayed..." - is this saying it must be omnipresent, or that when it is
displayed after being invoked by the user, it should have the customized
theme etc?
On Jan 17, 2008 9:54 AM, Thomas Roessler <tlr@w3.org> wrote:
>
> I've moved most of the Wiki text about picture-in-picture attacks
> [1] into the current editor's draft:
>
>  Many graphical user agents are vulnerable to picture-in-picture
>  attacks: Graphic and script elements within an HTML page are used
>  to simulate the look and feel of browser chrome. The attacker's
>  goal is to recreate a convincing mockup of the browser chrome
>  entirely within the content page, in order to provide (false)
>  indicators of security to the user.
>
>  In these user agents, the editor bar MUST be displayed using a
>  theme customized to the user. The user selects this theme at
>  browser installation time and it remains forever the same. The
>  icon for the Contacts button MUST also be selected by the user at
>  installation time.
>
>  --
> https://www.w3.org/2006/WSC/drafts/rec/rewrite.html#safebar-picture-in-picture
>
> 1. https://www.w3.org/2006/WSC/wiki/NoteTestCases
>
> I believe that ISSUE-126 can be closed.
>
> Regards,
> --
> Thomas Roessler, W3C  <tlr@w3.org>
>
>