RE: Please fix! [Pub request: FPWD of User Interface Safety Directives for CSP]

All,

 I've updated the missing and incorrect references in the FPWD of UI Safety and we should be ready to publish with the version at:

http://dvcs.w3.org/hg/user-interface-safety/raw-file/ca2e54aaf765/user-interface-safety.html

Thanks!

Brad Hill

> -----Original Message-----
> From: Hill, Brad
> Sent: Monday, November 05, 2012 3:13 AM
> To: Thomas Roessler
> Cc: Hill, Brad; Carine Bournez; public-webappsec@w3.org; Robin Berjon
> Subject: Re: Please fix! [Pub request: FPWD of User Interface Safety Directives
> for CSP]
> 
> If we can't publish until this is resolved it will be at least a week.
> 
> Brad Hill
> 
> On Nov 5, 2012, at 6:11 AM, "Thomas Roessler" <tlr@w3.org> wrote:
> 
> > I believe you're implying to defer this by at least a week, right?
> >
> > Concerning ReSpec, please contact Robin Berjon (CCed on this note).
> >
> > Thanks,
> > --
> > Thomas Roessler, W3C <tlr@w3.org> (@roessler)
> >
> >
> >
> > On 2012-11-05, at 12:08 +0100, "Hill, Brad" <bhill@paypal-inc.com> wrote:
> >
> >> We know that is the case but let's just postpone.
> >>
> >> I won't be able to address this immediately as:
> >>
> >> 1) I am at IETF this week.
> >> 2) Since the reference dictionary for ReSpec doesn't contain the
> >> references I need, I'll need to either figure out who to contact and
> >> how to add them, or switch the editing tooling I've been using.  I
> >> started trying to move to Anolis a few weeks ago but didn't get very
> >> far since the installation instructions reference years out-of-date
> >> package dependencies, many of which are no longer available and I'm
> >> not sure how to resolve.  That alone will probably take me a full day
> >> or more to get through. :(
> >> 3) There's actually some controversy about this at the IETF websec, so it is
> somewhat convenient for it to be delayed a bit until I can hopefully resolve
> that.
> >>
> >> Thanks,
> >>
> >> Brad
> >>
> >>> -----Original Message-----
> >>> From: Carine Bournez [mailto:carine@w3.org]
> >>> Sent: Monday, November 05, 2012 5:35 AM
> >>> To: Hill, Brad
> >>> Cc: Thomas Roessler (tlr@w3.org); public-webappsec@w3.org
> >>> Subject: Please fix! [Pub request: FPWD of User Interface Safety
> >>> Directives for CSP]
> >>>
> >>>
> >>> Hi,
> >>> It seems that the references sections are broken, several entries
> >>> don't get properly generated, there is an extra Normative references
> >>> section before the real generated References appendix.
> >>> Could you please fix this ASAP? If not, we'll postpone publication
> >>> to the next publication day (Thursday 8th).
> >>> Thanks!
> >>>
> >>>
> >>> On Fri, Oct 26, 2012 at 09:05:17PM +0000, Hill, Brad wrote:
> >>>> Thomas,
> >>>>
> >>>> On behalf of the Web Application Security WG we request that the
> >>>> User
> >>> Interface Safety Directives for Content Security Policy transition
> >>> to First Public Working Draft in the following location:
> >>>>
> >>>> User Interface Safety (UISafety)
> >>>> http://www.w3.org/TR/2011/WD-UISafety-20121105/
> >>>>
> >>>> This can be published effective immediately following the TPAC
> >>>> blackout
> >>> period.  (Nov 5?)
> >>>>
> >>>> The abstract and scope may be found in the document itself at:
> >>>> http://dvcs.w3.org/hg/user-interface-safety/raw-file/3e7ba0f12494/u
> >>>> ser-
> >>> interface-safety.html
> >>>>
> >>>> "This document defines directives for the Content Security Policy
> >>> mechanism to declare a set of input protections for a web resource's
> >>> user interface, defines a non-normative set of heuristics for Web
> >>> user agents to implement these input protections, and a reporting
> >>> mechanism for when they are triggered."
> >>>>
> >>>> "In some UI Redressing attacks (also known as Clickjacking), a
> >>>> malicious web
> >>> application presents a user interface of another web application in
> >>> a manipulated context to the user, e.g. by partially obscuring the
> >>> genuine user interface with opaque layers on top, hence tricking the
> >>> user to click on a button out of context.
> >>>>
> >>>> "Existing anti-clickjacking measures including frame-busting codes
> >>>> and X-
> >>> Frame-Options are fundamentally incompatible with embeddable
> >>> third-party widgets, and insufficient to defend against timing-based
> attack vectors.
> >>>>
> >>>> "The User Interface Safety directives encompass the policies
> >>>> defined in X-
> >>> Frame-Options and also provide a new mechanism to allow web
> >>> applications to enable heuristic input protections for its user interfaces
> on user agents.
> >>>>
> >>>> "To mitigate UI redressing, for example, a web application can
> >>>> request that
> >>> a user interface element should be fully visible for a minimum
> >>> period of time before a user input can be delivered.
> >>>>
> >>>> "The User Interface Safety directive can often be applied to
> >>>> existing
> >>> applications with few or no changes, but the heuristic hints
> >>> supplied by the policy may require considerable experimental
> >>> fine-tuning to achieve an acceptable error rate.
> >>>>
> >>>> "This specification obsoletes X-Frame-Options. Resources may supply
> >>>> an X-
> >>> Frame-Options header in addition to a Content-Security-Policy header
> >>> to indicate policy to user agents that do not implement the
> >>> directives in this specification. A user agent that understands the
> >>> directives in this document should ignore the X-Frame-Options
> >>> header, when present, if User Interface Safety directives are also
> >>> present in a Content-Security-Policy header. This is to allow
> >>> resources to only be embedded if the mechanisms described in this
> >>> specification are enforced, and more restrictive X-Frame-Options policies
> applied otherwise."
> >>>>
> >>>>
> >>>>
> >>>> The WG has documented its agreement to advance this document by
> >>> issuing a Call for Consensus and receiving no objections,
> >>> http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0088.ht
> >>> ml and recorded its formal decision to advance in the minutes of its
> >>> most recent teleconference here:
> >>> http://www.w3.org/2011/webappsec/minutes/webappsec-minutes-23-
> Oct-
> >>> 2012.html
> >>>>
> >>>> Thank you,
> >>>>
> >>>> Brad Hill
> >

Received on Tuesday, 20 November 2012 00:33:33 UTC