- From: Hill, Brad <bhill@paypal-inc.com>
- Date: Mon, 5 Nov 2012 11:08:57 +0000
- To: Carine Bournez <carine@w3.org>
- CC: "Thomas Roessler (tlr@w3.org)" <tlr@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
We know that is the case but let's just postpone. I won't be able to address this immediately as: 1) I am at IETF this week. 2) Since the reference dictionary for ReSpec doesn't contain the references I need, I'll need to either figure out who to contact and how to add them, or switch the editing tooling I've been using. I started trying to move to Anolis a few weeks ago but didn't get very far since the installation instructions reference years out-of-date package dependencies, many of which are no longer available and I'm not sure how to resolve. That alone will probably take me a full day or more to get through. :( 3) There's actually some controversy about this at the IETF websec, so it is somewhat convenient for it to be delayed a bit until I can hopefully resolve that. Thanks, Brad > -----Original Message----- > From: Carine Bournez [mailto:carine@w3.org] > Sent: Monday, November 05, 2012 5:35 AM > To: Hill, Brad > Cc: Thomas Roessler (tlr@w3.org); public-webappsec@w3.org > Subject: Please fix! [Pub request: FPWD of User Interface Safety Directives for > CSP] > > > Hi, > It seems that the references sections are broken, several entries don't get > properly generated, there is an extra Normative references section before the > real generated References appendix. > Could you please fix this ASAP? If not, we'll postpone publication to the next > publication day (Thursday 8th). > Thanks! > > > On Fri, Oct 26, 2012 at 09:05:17PM +0000, Hill, Brad wrote: > > Thomas, > > > > On behalf of the Web Application Security WG we request that the User > Interface Safety Directives for Content Security Policy transition to First Public > Working Draft in the following location: > > > > User Interface Safety (UISafety) > > http://www.w3.org/TR/2011/WD-UISafety-20121105/ > > > > This can be published effective immediately following the TPAC blackout > period. (Nov 5?) > > > > The abstract and scope may be found in the document itself at: > > http://dvcs.w3.org/hg/user-interface-safety/raw-file/3e7ba0f12494/user- > interface-safety.html > > > > "This document defines directives for the Content Security Policy > mechanism to declare a set of input protections for a web resource's user > interface, defines a non-normative set of heuristics for Web user agents to > implement these input protections, and a reporting mechanism for when they > are triggered." > > > > "In some UI Redressing attacks (also known as Clickjacking), a malicious web > application presents a user interface of another web application in a > manipulated context to the user, e.g. by partially obscuring the genuine user > interface with opaque layers on top, hence tricking the user to click on a > button out of context. > > > > "Existing anti-clickjacking measures including frame-busting codes and X- > Frame-Options are fundamentally incompatible with embeddable third-party > widgets, and insufficient to defend against timing-based attack vectors. > > > > "The User Interface Safety directives encompass the policies defined in X- > Frame-Options and also provide a new mechanism to allow web applications > to enable heuristic input protections for its user interfaces on user agents. > > > > "To mitigate UI redressing, for example, a web application can request that > a user interface element should be fully visible for a minimum period of time > before a user input can be delivered. > > > > "The User Interface Safety directive can often be applied to existing > applications with few or no changes, but the heuristic hints supplied by the > policy may require considerable experimental fine-tuning to achieve an > acceptable error rate. > > > > "This specification obsoletes X-Frame-Options. Resources may supply an X- > Frame-Options header in addition to a Content-Security-Policy header to > indicate policy to user agents that do not implement the directives in this > specification. A user agent that understands the directives in this document > should ignore the X-Frame-Options header, when present, if User Interface > Safety directives are also present in a Content-Security-Policy header. This is > to allow resources to only be embedded if the mechanisms described in this > specification are enforced, and more restrictive X-Frame-Options policies > applied otherwise." > > > > > > > > The WG has documented its agreement to advance this document by > issuing a Call for Consensus and receiving no objections, > http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0088.html and > recorded its formal decision to advance in the minutes of its most recent > teleconference here: > http://www.w3.org/2011/webappsec/minutes/webappsec-minutes-23-Oct- > 2012.html > > > > Thank you, > > > > Brad Hill > > > >
Received on Monday, 5 November 2012 11:09:27 UTC