- From: <chaals@yandex-team.ru>
- Date: Fri, 31 Mar 2017 18:24:35 +0200
- To: public-web-security <public-web-security@w3.org>
Hi, I filed issue https://github.com/w3c/html/issues/853 on HTML, because the spec currently suggests that implementing context menus defined by page authors, it is OK to hide the normal browser context menu. I'm concerned that this introduces a fairly simple phishing attack, because you can replace things that users might expect in the context menu with arbitrary script in the application. Note that issues tagged with "security" can be reviewed as a group: https://github.com/w3c/html/labels/security there are a handful, and one question in each case is whether there is a real security issue… cheers Chaals -- Charles McCathie Nevile - standards - Yandex chaals@yandex-team.ru - - - Find more at http://yandex.com
Received on Friday, 31 March 2017 16:25:11 UTC