W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2012

Re: Pub request: FPWD of User Interface Safety Directives for CSP

From: Thomas Roessler <tlr@w3.org>
Date: Fri, 26 Oct 2012 23:12:54 +0200
Cc: "chairs@w3.org" <chairs@w3.org>, "w3t-comm@w3.org" <w3t-comm@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-Id: <B57010B1-4201-4F76-84B8-76277DC5633C@w3.org>
To: "Hill, Brad" <bhill@paypal-inc.com>
Thanks, Brad, for the (transition and) publication request.  FPWD transition and shortname approved.
-- 
Thomas Roessler, W3C <tlr@w3.org> (@roessler)



On 2012-10-26, at 23:05 +0200, "Hill, Brad" <bhill@paypal-inc.com> wrote:

> Thomas,
>  
> On behalf of the Web Application Security WG we request that the User Interface Safety Directives for Content Security Policy transition to First Public Working Draft in the following location:
>  
> User Interface Safety (UISafety)
> http://www.w3.org/TR/2011/WD-UISafety-20121105/
>  
> This can be published effective immediately following the TPAC blackout period.  (Nov 5?)
>  
> The abstract and scope may be found in the document itself at: 
> http://dvcs.w3.org/hg/user-interface-safety/raw-file/3e7ba0f12494/user-interface-safety.html
>  
> “This document defines directives for the Content Security Policy mechanism to declare a set of input protections for a web resource's user interface, defines a non-normative set of heuristics for Web user agents to implement these input protections, and a reporting mechanism for when they are triggered.”
> 
> “In some UI Redressing attacks (also known as Clickjacking), a malicious web application presents a user interface of another web application in a manipulated context to the user, e.g. by partially obscuring the genuine user interface with opaque layers on top, hence tricking the user to click on a button out of context.
>  
> “Existing anti-clickjacking measures including frame-busting codes and X-Frame-Options are fundamentally incompatible with embeddable third-party widgets, and insufficient to defend against timing-based attack vectors.
>  
> “The User Interface Safety directives encompass the policies defined in X-Frame-Options and also provide a new mechanism to allow web applications to enable heuristic input protections for its user interfaces on user agents.
>  
> “To mitigate UI redressing, for example, a web application can request that a user interface element should be fully visible for a minimum period of time before a user input can be delivered.
>  
> “The User Interface Safety directive can often be applied to existing applications with few or no changes, but the heuristic hints supplied by the policy may require considerable experimental fine-tuning to achieve an acceptable error rate.
>  
> “This specification obsoletes X-Frame-Options. Resources may supply an X-Frame-Options header in addition to a Content-Security-Policy header to indicate policy to user agents that do not implement the directives in this specification. A user agent that understands the directives in this document should ignore the X-Frame-Options header, when present, if User Interface Safety directives are also present in a Content-Security-Policy header. This is to allow resources to only be embedded if the mechanisms described in this specification are enforced, and more restrictive X-Frame-Options policies applied otherwise.”
>  
>  
>  
> The WG has documented its agreement to advance this document by issuing a Call for Consensus and receiving no objections,http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0088.html and recorded its formal decision to advance in the minutes of its most recent teleconference here: http://www.w3.org/2011/webappsec/minutes/webappsec-minutes-23-Oct-2012.html
>  
> Thank you,
>  
> Brad Hill
>  
>  
Received on Friday, 26 October 2012 21:13:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 26 October 2012 21:13:03 GMT