Re: Please fix! [Pub request: FPWD of User Interface Safety Directives for CSP]

I believe you're implying to defer this by at least a week, right?

Concerning ReSpec, please contact Robin Berjon (CCed on this note).

Thomas Roessler, W3C <> (@roessler)

On 2012-11-05, at 12:08 +0100, "Hill, Brad" <> wrote:

> We know that is the case but let's just postpone.  
> I won't be able to address this immediately as:
> 1) I am at IETF this week.
> 2) Since the reference dictionary for ReSpec doesn't contain the references I need, I'll need to either figure out who to contact and how to add them, or switch the editing tooling I've been using.  I started trying to move to Anolis a few weeks ago but didn't get very far since the installation instructions reference years out-of-date package dependencies, many of which are no longer available and I'm not sure how to resolve.  That alone will probably take me a full day or more to get through. :(
> 3) There's actually some controversy about this at the IETF websec, so it is somewhat convenient for it to be delayed a bit until I can hopefully resolve that.
> Thanks,
> Brad
>> -----Original Message-----
>> From: Carine Bournez []
>> Sent: Monday, November 05, 2012 5:35 AM
>> To: Hill, Brad
>> Cc: Thomas Roessler (;
>> Subject: Please fix! [Pub request: FPWD of User Interface Safety Directives for
>> CSP]
>> Hi,
>> It seems that the references sections are broken, several entries don't get
>> properly generated, there is an extra Normative references section before the
>> real generated References appendix.
>> Could you please fix this ASAP? If not, we'll postpone publication to the next
>> publication day (Thursday 8th).
>> Thanks!
>> On Fri, Oct 26, 2012 at 09:05:17PM +0000, Hill, Brad wrote:
>>> Thomas,
>>> On behalf of the Web Application Security WG we request that the User
>> Interface Safety Directives for Content Security Policy transition to First Public
>> Working Draft in the following location:
>>> User Interface Safety (UISafety)
>>> This can be published effective immediately following the TPAC blackout
>> period.  (Nov 5?)
>>> The abstract and scope may be found in the document itself at:
>> interface-safety.html
>>> "This document defines directives for the Content Security Policy
>> mechanism to declare a set of input protections for a web resource's user
>> interface, defines a non-normative set of heuristics for Web user agents to
>> implement these input protections, and a reporting mechanism for when they
>> are triggered."
>>> "In some UI Redressing attacks (also known as Clickjacking), a malicious web
>> application presents a user interface of another web application in a
>> manipulated context to the user, e.g. by partially obscuring the genuine user
>> interface with opaque layers on top, hence tricking the user to click on a
>> button out of context.
>>> "Existing anti-clickjacking measures including frame-busting codes and X-
>> Frame-Options are fundamentally incompatible with embeddable third-party
>> widgets, and insufficient to defend against timing-based attack vectors.
>>> "The User Interface Safety directives encompass the policies defined in X-
>> Frame-Options and also provide a new mechanism to allow web applications
>> to enable heuristic input protections for its user interfaces on user agents.
>>> "To mitigate UI redressing, for example, a web application can request that
>> a user interface element should be fully visible for a minimum period of time
>> before a user input can be delivered.
>>> "The User Interface Safety directive can often be applied to existing
>> applications with few or no changes, but the heuristic hints supplied by the
>> policy may require considerable experimental fine-tuning to achieve an
>> acceptable error rate.
>>> "This specification obsoletes X-Frame-Options. Resources may supply an X-
>> Frame-Options header in addition to a Content-Security-Policy header to
>> indicate policy to user agents that do not implement the directives in this
>> specification. A user agent that understands the directives in this document
>> should ignore the X-Frame-Options header, when present, if User Interface
>> Safety directives are also present in a Content-Security-Policy header. This is
>> to allow resources to only be embedded if the mechanisms described in this
>> specification are enforced, and more restrictive X-Frame-Options policies
>> applied otherwise."
>>> The WG has documented its agreement to advance this document by
>> issuing a Call for Consensus and receiving no objections,
>> and
>> recorded its formal decision to advance in the minutes of its most recent
>> teleconference here:
>> 2012.html
>>> Thank you,
>>> Brad Hill

Received on Monday, 5 November 2012 11:10:47 UTC