W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2012

Re: Please fix! [Pub request: FPWD of User Interface Safety Directives for CSP]

From: Hill, Brad <bhill@paypal-inc.com>
Date: Mon, 5 Nov 2012 11:13:06 +0000
To: Thomas Roessler <tlr@w3.org>
CC: "Hill, Brad" <bhill@paypal-inc.com>, Carine Bournez <carine@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Robin Berjon <robin@w3.org>
Message-ID: <B17593B7-C6AC-4444-BB70-44BE0124728B@paypal.com>
If we can't publish until this is resolved it will be at least a week.

Brad Hill

On Nov 5, 2012, at 6:11 AM, "Thomas Roessler" <tlr@w3.org> wrote:

> I believe you're implying to defer this by at least a week, right?
> 
> Concerning ReSpec, please contact Robin Berjon (CCed on this note).
> 
> Thanks,
> -- 
> Thomas Roessler, W3C <tlr@w3.org> (@roessler)
> 
> 
> 
> On 2012-11-05, at 12:08 +0100, "Hill, Brad" <bhill@paypal-inc.com> wrote:
> 
>> We know that is the case but let's just postpone.  
>> 
>> I won't be able to address this immediately as:
>> 
>> 1) I am at IETF this week.
>> 2) Since the reference dictionary for ReSpec doesn't contain the references I need, I'll need to either figure out who to contact and how to add them, or switch the editing tooling I've been using.  I started trying to move to Anolis a few weeks ago but didn't get very far since the installation instructions reference years out-of-date package dependencies, many of which are no longer available and I'm not sure how to resolve.  That alone will probably take me a full day or more to get through. :(
>> 3) There's actually some controversy about this at the IETF websec, so it is somewhat convenient for it to be delayed a bit until I can hopefully resolve that.
>> 
>> Thanks,
>> 
>> Brad
>> 
>>> -----Original Message-----
>>> From: Carine Bournez [mailto:carine@w3.org]
>>> Sent: Monday, November 05, 2012 5:35 AM
>>> To: Hill, Brad
>>> Cc: Thomas Roessler (tlr@w3.org); public-webappsec@w3.org
>>> Subject: Please fix! [Pub request: FPWD of User Interface Safety Directives for
>>> CSP]
>>> 
>>> 
>>> Hi,
>>> It seems that the references sections are broken, several entries don't get
>>> properly generated, there is an extra Normative references section before the
>>> real generated References appendix.
>>> Could you please fix this ASAP? If not, we'll postpone publication to the next
>>> publication day (Thursday 8th).
>>> Thanks!
>>> 
>>> 
>>> On Fri, Oct 26, 2012 at 09:05:17PM +0000, Hill, Brad wrote:
>>>> Thomas,
>>>> 
>>>> On behalf of the Web Application Security WG we request that the User
>>> Interface Safety Directives for Content Security Policy transition to First Public
>>> Working Draft in the following location:
>>>> 
>>>> User Interface Safety (UISafety)
>>>> http://www.w3.org/TR/2011/WD-UISafety-20121105/
>>>> 
>>>> This can be published effective immediately following the TPAC blackout
>>> period.  (Nov 5?)
>>>> 
>>>> The abstract and scope may be found in the document itself at:
>>>> http://dvcs.w3.org/hg/user-interface-safety/raw-file/3e7ba0f12494/user-
>>> interface-safety.html
>>>> 
>>>> "This document defines directives for the Content Security Policy
>>> mechanism to declare a set of input protections for a web resource's user
>>> interface, defines a non-normative set of heuristics for Web user agents to
>>> implement these input protections, and a reporting mechanism for when they
>>> are triggered."
>>>> 
>>>> "In some UI Redressing attacks (also known as Clickjacking), a malicious web
>>> application presents a user interface of another web application in a
>>> manipulated context to the user, e.g. by partially obscuring the genuine user
>>> interface with opaque layers on top, hence tricking the user to click on a
>>> button out of context.
>>>> 
>>>> "Existing anti-clickjacking measures including frame-busting codes and X-
>>> Frame-Options are fundamentally incompatible with embeddable third-party
>>> widgets, and insufficient to defend against timing-based attack vectors.
>>>> 
>>>> "The User Interface Safety directives encompass the policies defined in X-
>>> Frame-Options and also provide a new mechanism to allow web applications
>>> to enable heuristic input protections for its user interfaces on user agents.
>>>> 
>>>> "To mitigate UI redressing, for example, a web application can request that
>>> a user interface element should be fully visible for a minimum period of time
>>> before a user input can be delivered.
>>>> 
>>>> "The User Interface Safety directive can often be applied to existing
>>> applications with few or no changes, but the heuristic hints supplied by the
>>> policy may require considerable experimental fine-tuning to achieve an
>>> acceptable error rate.
>>>> 
>>>> "This specification obsoletes X-Frame-Options. Resources may supply an X-
>>> Frame-Options header in addition to a Content-Security-Policy header to
>>> indicate policy to user agents that do not implement the directives in this
>>> specification. A user agent that understands the directives in this document
>>> should ignore the X-Frame-Options header, when present, if User Interface
>>> Safety directives are also present in a Content-Security-Policy header. This is
>>> to allow resources to only be embedded if the mechanisms described in this
>>> specification are enforced, and more restrictive X-Frame-Options policies
>>> applied otherwise."
>>>> 
>>>> 
>>>> 
>>>> The WG has documented its agreement to advance this document by
>>> issuing a Call for Consensus and receiving no objections,
>>> http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0088.html and
>>> recorded its formal decision to advance in the minutes of its most recent
>>> teleconference here:
>>> http://www.w3.org/2011/webappsec/minutes/webappsec-minutes-23-Oct-
>>> 2012.html
>>>> 
>>>> Thank you,
>>>> 
>>>> Brad Hill
> 
Received on Monday, 5 November 2012 11:13:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 5 November 2012 11:13:41 GMT