W3C home > Mailing lists > Public > public-html-comments@w3.org > November 2011

Re: Three minor comments

From: Michael[tm] Smith <mike@w3.org>
Date: Tue, 22 Nov 2011 07:21:14 +0900
To: Philippe De Ryck <philippe.deryck@cs.kuleuven.be>
Cc: public-html-comments@w3.org
Message-ID: <20111121222104.GA472@sideshowbarker>
Hi Philippe,

Note that Hixie has responded to your comment and noted that he doesn't
understand the third part of your comment (HTML5EL-USER-1.Overriding


If you others familiar with content of the comments could post a follow-up
comment to that bug, that would be great.


Philippe De Ryck <philippe.deryck@cs.kuleuven.be>, 2011-08-03 19:46 +0200:

> The following comment contains detailed information about a few issues
> that were identified during a recent security analysis of 13 W3C
> standards, organized by ENISA (European Network and Information Security
> Agency), and performed by the DistriNet Research Group (K.U. Leuven,
> Belgium).
> The complete report is available at http://www.enisa.europa.eu/html5
> (*), and contains information about the process, the discovered
> vulnerabilities and recommendations towards improving overall security
> in the studied specifications.
>  Issues
> --------
> HTML5EL-SECURE-2.Menu Integration: A web application can define
> contextual and toolbar menus. The specification does not mention many
> implementation details. A user agent may implement integrate these menus
> with its own user interface, especially on small displays such as
> smartphones. This may confuse a user and may present malicious or
> erroneous menu items.
> HTML5EL-SECURE-3.Keygen Scenarios: The specification does not provide
> enough details about the keygen element. No concrete usage scenarios
> (from keygen to actual use of the key) or implementation requirements
> (e.g. storage of private keys) are provided. 
> HTML5EL-USER-1.Overriding Sandbox: Sandboxed content is not allowed to
> load plugin content. The specification of the embed element however
> states that a user agent may allow the user to override this for a
> specific content item, but the user agent should warn the user that this
> could be dangerous. The override option is only briefly mentioned as
> part of the description of the embed element, but is also an important
> aspect of the sandbox attribute. The spec should either mention this
> with the sandbox attribute or refer to the embed element.
> (*) HTML version of the report is available as well:
> https://distrinet.cs.kuleuven.be/projects/HTML5-security/
> -- 
> Philippe De Ryck
> K.U.Leuven, Dept. of Computer Science
> Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm

Michael[tm] Smith
Received on Monday, 21 November 2011 22:21:24 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:28 UTC