- From: Michael[tm] Smith <mike@w3.org>
- Date: Tue, 22 Nov 2011 07:21:14 +0900
- To: Philippe De Ryck <philippe.deryck@cs.kuleuven.be>
- Cc: public-html-comments@w3.org
Hi Philippe, Note that Hixie has responded to your comment and noted that he doesn't understand the third part of your comment (HTML5EL-USER-1.Overriding Sandbox): http://www.w3.org/Bugs/Public/show_bug.cgi?id=13698#c1 If you others familiar with content of the comments could post a follow-up comment to that bug, that would be great. --Mike Philippe De Ryck <philippe.deryck@cs.kuleuven.be>, 2011-08-03 19:46 +0200: > The following comment contains detailed information about a few issues > that were identified during a recent security analysis of 13 W3C > standards, organized by ENISA (European Network and Information Security > Agency), and performed by the DistriNet Research Group (K.U. Leuven, > Belgium). > > The complete report is available at http://www.enisa.europa.eu/html5 > (*), and contains information about the process, the discovered > vulnerabilities and recommendations towards improving overall security > in the studied specifications. > > Issues > -------- > > HTML5EL-SECURE-2.Menu Integration: A web application can define > contextual and toolbar menus. The specification does not mention many > implementation details. A user agent may implement integrate these menus > with its own user interface, especially on small displays such as > smartphones. This may confuse a user and may present malicious or > erroneous menu items. > > HTML5EL-SECURE-3.Keygen Scenarios: The specification does not provide > enough details about the keygen element. No concrete usage scenarios > (from keygen to actual use of the key) or implementation requirements > (e.g. storage of private keys) are provided. > > HTML5EL-USER-1.Overriding Sandbox: Sandboxed content is not allowed to > load plugin content. The specification of the embed element however > states that a user agent may allow the user to override this for a > specific content item, but the user agent should warn the user that this > could be dangerous. The override option is only briefly mentioned as > part of the description of the embed element, but is also an important > aspect of the sandbox attribute. The spec should either mention this > with the sandbox attribute or refer to the embed element. > > > (*) HTML version of the report is available as well: > https://distrinet.cs.kuleuven.be/projects/HTML5-security/ > -- > Philippe De Ryck > K.U.Leuven, Dept. of Computer Science > > > Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm -- Michael[tm] Smith http://people.w3.org/mike/+
Received on Monday, 21 November 2011 22:21:24 UTC