W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: UI issues for security consideration

From: Eduardo Vela <sirdarckcat@gmail.com>
Date: Fri, 4 Dec 2009 22:21:10 +0800
Message-ID: <8ba534860912040621l2fb59370q49c2629859abf5d9@mail.gmail.com>
To: public-web-security@w3.org
I think the wiki should include examples, and I think security community
will be happy to provide them.. if noone opposes against that I'll start
doing so when I find time.

Regarding UI issues, maybe covering LTR/RTL chars on browser's dialog boxes
would be wise on the Spoofing section.

Stuff like:

"The website [URL] wants to be your default homepage, ok? [OK]"

with this input:

"http://sirdarckcat.net/?x=[RTL]x?detacsufbo/moc.elgoog.www//:ptth"

will be shown in some browser's dialogs as:

The website wants to show you some cool stuff! check it out:
http://www.google.com/obfuscated?x?ko ,egapemoh tluafed rouy eb ot
stanw=x?/net.tackcradris//:ptth

Some rather popular browser has an issue like this.. and they aint fixing
it.

Greetings!!
-- Eduardo
http://www.sirdarckcat.net/

Sent from Hangzhou, 33, China
Received on Saturday, 5 December 2009 14:29:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT