- From: =JeffH via GitHub <sysbot+gh@w3.org>
- Date: Tue, 26 Jun 2018 18:03:35 +0000
- To: public-webauthn@w3.org
thx, I changed client-side normativity to SHOULD. Please note also that this PR only improves #593 -- the other, original, portion of the issue is in regards to providing implementer guidance regarding how to display/present these string values in order to mitigate effects of possibly malicious string content, per @zbraniecki, [as quoted by](https://github.com/w3c/webauthn/issues/593#issuecomment-369402225) @jcjones: > @zbraniecki suggests that if we want to let browsers use this information for prompts, that we should write / refer to some guidance on how to present the strings, given that the attacker can do three major things with a DOMString: > > play with position and directionality (so the string may appear on the far right of the field rather than left, or in the middle), make things invisible within the string or confusing (emojis), or may the string contain characters that look like other characters. > My poor synopsis of some sample guidance would be advice to always use UI elements to provide a clear boundary around these strings, and not allow overflow into other elements, etc. [as I noted in](https://github.com/w3c/webauthn/issues/593#issuecomment-397378715) #593, I have done some modest searching around WHATWG and W3C specs regarding how one might specify guidance per @jcjones's suggestion above, but have been unable to find anything useful -- does anyone have any clues? -- GitHub Notification of comment by equalsJeffH Please view or discuss this issue at https://github.com/w3c/webauthn/pull/951#issuecomment-400409218 using your GitHub account
Received on Tuesday, 26 June 2018 18:04:04 UTC