[webappsec] new draft of UI Security available from Hill, Brad on 2013-03-25 (public-webappsec@w3.org from March 2013)

From: Hill, Brad <bhill@paypal-inc.com>
Date: Mon, 25 Mar 2013 21:13:43 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E279725E0@DEN-EXDDA-S12.corp.ebay.com>

A new draft of the UI Security spec is now available at:

https://dvcs.w3.org/hg/user-interface-safety/raw-file/f828d1ce0cde/user-interface-safety.html

This draft removes the 'top-only' token for frame-options, adds the script interfaces and resolves an issue about non-normative recommendations for default or user opt-in enforcement of input-protection.

Please take a look.  I'd especially like feedback as to whether the webIDL definitions of the interface as "partial" rather than extending the CSP 1.1 directives is the correct choice.

I believe, following that, that all outstanding issues and requirements have been addressed by this draft.  While I think we should wait until we have more implementer feedback (at least one full implementation) before we go to Last Call, that this one is mostly done as far as the text goes.  If others feel similarly, I'd like to start a Call for Consensus to advance this as a new official Working Draft on tomorrow's call.

Thank you,

Brad Hill

Received on Monday, 25 March 2013 21:14:16 UTC