Re: Three minor comments from Michael[tm] Smith on 2011-11-21 (public-html-comments@w3.org from November 2011)

From: Michael[tm] Smith <mike@w3.org>
Date: Tue, 22 Nov 2011 07:21:14 +0900
To: Philippe De Ryck <philippe.deryck@cs.kuleuven.be>
Cc: public-html-comments@w3.org
Message-ID: <20111121222104.GA472@sideshowbarker>

Hi Philippe,

Note that Hixie has responded to your comment and noted that he doesn't
understand the third part of your comment (HTML5EL-USER-1.Overriding
Sandbox):

  http://www.w3.org/Bugs/Public/show_bug.cgi?id=13698#c1

If you others familiar with content of the comments could post a follow-up
comment to that bug, that would be great.

  --Mike

Philippe De Ryck <philippe.deryck@cs.kuleuven.be>, 2011-08-03 19:46 +0200:

> The following comment contains detailed information about a few issues
> that were identified during a recent security analysis of 13 W3C
> standards, organized by ENISA (European Network and Information Security
> Agency), and performed by the DistriNet Research Group (K.U. Leuven,
> Belgium).
> 
> The complete report is available at http://www.enisa.europa.eu/html5
> (*), and contains information about the process, the discovered
> vulnerabilities and recommendations towards improving overall security
> in the studied specifications.
> 
>  Issues
> --------
> 
> HTML5EL-SECURE-2.Menu Integration: A web application can define
> contextual and toolbar menus. The specification does not mention many
> implementation details. A user agent may implement integrate these menus
> with its own user interface, especially on small displays such as
> smartphones. This may confuse a user and may present malicious or
> erroneous menu items.
> 
> HTML5EL-SECURE-3.Keygen Scenarios: The specification does not provide
> enough details about the keygen element. No concrete usage scenarios
> (from keygen to actual use of the key) or implementation requirements
> (e.g. storage of private keys) are provided. 
> 
> HTML5EL-USER-1.Overriding Sandbox: Sandboxed content is not allowed to
> load plugin content. The specification of the embed element however
> states that a user agent may allow the user to override this for a
> specific content item, but the user agent should warn the user that this
> could be dangerous. The override option is only briefly mentioned as
> part of the description of the embed element, but is also an important
> aspect of the sandbox attribute. The spec should either mention this
> with the sandbox attribute or refer to the embed element.
> 
> 
> (*) HTML version of the report is available as well:
> https://distrinet.cs.kuleuven.be/projects/HTML5-security/
> -- 
> Philippe De Ryck
> K.U.Leuven, Dept. of Computer Science
> 
> 
> Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm

-- 
Michael[tm] Smith
http://people.w3.org/mike/+

Received on Monday, 21 November 2011 22:21:24 UTC