[webappsec] new UISecurity draft, based on IronFrame and IntersectionObserver from Brad Hill on 2015-12-03 (public-webappsec@w3.org from December 2015)

From: Brad Hill <hillbrad@gmail.com>
Date: Thu, 03 Dec 2015 23:37:33 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>, Dan Kaminsky <dan@whiteops.com>, Alex Russell <slightlyoff@google.com>, mpb@google.com
Message-ID: <CAEeYn8gODpUmkY8EmMxz+YR_OWBmhF1brZr1Ssk76HXY3dYXag@mail.gmail.com>

I've finally got a new UISecurity draft based on the Observer API pattern
up in its own repository and available for review!

http://w3c.github.io/webappsec-uisecurity/
https://github.com/w3c/webappsec-uisecurity

The updated spec takes the core idea of Kaminsky's IronFrame and puts it in
an API context that looks very similar to IntersectionObserver.  Some key
differences are described in a note in the introduction section.  This spec
also introduces a declarative API through a Content Security Policy
directive, implemented in terms of the observer internals.
IntersectionObserver is a great concept and API, but I think it meets
primarily advertising use cases, and doesn't really solve many common
clickjacking attacks.

Feedback would be *greatly* appreciated.

-Brad Hill (as editor)

Received on Thursday, 3 December 2015 23:38:11 UTC