W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2012

Re: UI Safety Obstruction check and transforms

From: David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
Date: Wed, 28 Nov 2012 00:22:33 -0800
Message-ID: <CAGiwpwgp6rYZsfZPUfJkbHhkLJzL1+omg94dj6LvVsSV6FXr-w@mail.gmail.com>
To: Fred Andrews <fredandw@live.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi Fred,

In Section 4 of the draft, the proposed "unsafe" boolean flag in the
UIEvent object signals the webpage that obstruction was detected by the
UA (whether it was caused by an attack or a benign transform). This allows
the webpage to react with an extra confirmation dialog, or implement other
custom fallbacks.

Thanks,
David


On Wed, Nov 21, 2012 at 2:21 AM, Fred Andrews <fredandw@live.com> wrote:

> The issue of transforms applied to an element receiving an event has been
> discussed before and the opinion offered was that transformed elements are
> not supported.   Given that an element needs to be non-transformed to pass
> the obstruction check perhaps it would be appropriate to support elements
> being presented without transforms when about to receive events.  The use
> case would be to support rich UI designs that still offer UI safety.
>
> For example, consider a UI that docks social widgets at the side of a page
> and scales them down and applies a perspective transform for effect.  If
> input protection has been requested then these widgets would need to be
> presented unscaled and without the transform to pass the obstruction check.
>
> Could a UA recognize the issue and present the element in a little popup
> when hovering over it, or could the UA apply an extra confirmation step
> when an obstruction is detected and present the element unscaled and
> without the transform for confirmation?   If so then perhaps an
> implementation note of the possibilities would be appropriate.
>
> Might it be appropriate to signal an event that the webpage could use to
> implement such presentation itself, with a default left to the UA?  If so
> then the spec. would presumably need to define this event.
>
> For the case of a docked widget, a two step process would not be an
> unreasonable UI design, and is there enough support for webpage designers
> to be able to implement such a design.
>
> cheers
> Fred
>
>
Received on Wednesday, 28 November 2012 08:23:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 28 November 2012 08:23:04 GMT