W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2012

RE: Please fix! [Pub request: FPWD of User Interface Safety Directives for CSP]

From: Hill, Brad <bhill@paypal-inc.com>
Date: Mon, 5 Nov 2012 11:08:57 +0000
To: Carine Bournez <carine@w3.org>
CC: "Thomas Roessler (tlr@w3.org)" <tlr@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E2DAAF2@DEN-EXDDA-S12.corp.ebay.com>
We know that is the case but let's just postpone.  

I won't be able to address this immediately as:

1) I am at IETF this week.
2) Since the reference dictionary for ReSpec doesn't contain the references I need, I'll need to either figure out who to contact and how to add them, or switch the editing tooling I've been using.  I started trying to move to Anolis a few weeks ago but didn't get very far since the installation instructions reference years out-of-date package dependencies, many of which are no longer available and I'm not sure how to resolve.  That alone will probably take me a full day or more to get through. :(
3) There's actually some controversy about this at the IETF websec, so it is somewhat convenient for it to be delayed a bit until I can hopefully resolve that.

Thanks,

Brad

> -----Original Message-----
> From: Carine Bournez [mailto:carine@w3.org]
> Sent: Monday, November 05, 2012 5:35 AM
> To: Hill, Brad
> Cc: Thomas Roessler (tlr@w3.org); public-webappsec@w3.org
> Subject: Please fix! [Pub request: FPWD of User Interface Safety Directives for
> CSP]
> 
> 
> Hi,
> It seems that the references sections are broken, several entries don't get
> properly generated, there is an extra Normative references section before the
> real generated References appendix.
> Could you please fix this ASAP? If not, we'll postpone publication to the next
> publication day (Thursday 8th).
> Thanks!
> 
> 
> On Fri, Oct 26, 2012 at 09:05:17PM +0000, Hill, Brad wrote:
> > Thomas,
> >
> > On behalf of the Web Application Security WG we request that the User
> Interface Safety Directives for Content Security Policy transition to First Public
> Working Draft in the following location:
> >
> > User Interface Safety (UISafety)
> > http://www.w3.org/TR/2011/WD-UISafety-20121105/
> >
> > This can be published effective immediately following the TPAC blackout
> period.  (Nov 5?)
> >
> > The abstract and scope may be found in the document itself at:
> > http://dvcs.w3.org/hg/user-interface-safety/raw-file/3e7ba0f12494/user-
> interface-safety.html
> >
> > "This document defines directives for the Content Security Policy
> mechanism to declare a set of input protections for a web resource's user
> interface, defines a non-normative set of heuristics for Web user agents to
> implement these input protections, and a reporting mechanism for when they
> are triggered."
> >
> > "In some UI Redressing attacks (also known as Clickjacking), a malicious web
> application presents a user interface of another web application in a
> manipulated context to the user, e.g. by partially obscuring the genuine user
> interface with opaque layers on top, hence tricking the user to click on a
> button out of context.
> >
> > "Existing anti-clickjacking measures including frame-busting codes and X-
> Frame-Options are fundamentally incompatible with embeddable third-party
> widgets, and insufficient to defend against timing-based attack vectors.
> >
> > "The User Interface Safety directives encompass the policies defined in X-
> Frame-Options and also provide a new mechanism to allow web applications
> to enable heuristic input protections for its user interfaces on user agents.
> >
> > "To mitigate UI redressing, for example, a web application can request that
> a user interface element should be fully visible for a minimum period of time
> before a user input can be delivered.
> >
> > "The User Interface Safety directive can often be applied to existing
> applications with few or no changes, but the heuristic hints supplied by the
> policy may require considerable experimental fine-tuning to achieve an
> acceptable error rate.
> >
> > "This specification obsoletes X-Frame-Options. Resources may supply an X-
> Frame-Options header in addition to a Content-Security-Policy header to
> indicate policy to user agents that do not implement the directives in this
> specification. A user agent that understands the directives in this document
> should ignore the X-Frame-Options header, when present, if User Interface
> Safety directives are also present in a Content-Security-Policy header. This is
> to allow resources to only be embedded if the mechanisms described in this
> specification are enforced, and more restrictive X-Frame-Options policies
> applied otherwise."
> >
> >
> >
> > The WG has documented its agreement to advance this document by
> issuing a Call for Consensus and receiving no objections,
> http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0088.html and
> recorded its formal decision to advance in the minutes of its most recent
> teleconference here:
> http://www.w3.org/2011/webappsec/minutes/webappsec-minutes-23-Oct-
> 2012.html
> >
> > Thank you,
> >
> > Brad Hill
> >
> >
Received on Monday, 5 November 2012 11:09:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 5 November 2012 11:09:28 GMT