- From: Hill, Brad <bhill@paypal-inc.com>
- Date: Tue, 20 Nov 2012 00:33:04 +0000
- To: Thomas Roessler <tlr@w3.org>
- CC: Carine Bournez <carine@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Robin Berjon <robin@w3.org>
All, I've updated the missing and incorrect references in the FPWD of UI Safety and we should be ready to publish with the version at: http://dvcs.w3.org/hg/user-interface-safety/raw-file/ca2e54aaf765/user-interface-safety.html Thanks! Brad Hill > -----Original Message----- > From: Hill, Brad > Sent: Monday, November 05, 2012 3:13 AM > To: Thomas Roessler > Cc: Hill, Brad; Carine Bournez; public-webappsec@w3.org; Robin Berjon > Subject: Re: Please fix! [Pub request: FPWD of User Interface Safety Directives > for CSP] > > If we can't publish until this is resolved it will be at least a week. > > Brad Hill > > On Nov 5, 2012, at 6:11 AM, "Thomas Roessler" <tlr@w3.org> wrote: > > > I believe you're implying to defer this by at least a week, right? > > > > Concerning ReSpec, please contact Robin Berjon (CCed on this note). > > > > Thanks, > > -- > > Thomas Roessler, W3C <tlr@w3.org> (@roessler) > > > > > > > > On 2012-11-05, at 12:08 +0100, "Hill, Brad" <bhill@paypal-inc.com> wrote: > > > >> We know that is the case but let's just postpone. > >> > >> I won't be able to address this immediately as: > >> > >> 1) I am at IETF this week. > >> 2) Since the reference dictionary for ReSpec doesn't contain the > >> references I need, I'll need to either figure out who to contact and > >> how to add them, or switch the editing tooling I've been using. I > >> started trying to move to Anolis a few weeks ago but didn't get very > >> far since the installation instructions reference years out-of-date > >> package dependencies, many of which are no longer available and I'm > >> not sure how to resolve. That alone will probably take me a full day > >> or more to get through. :( > >> 3) There's actually some controversy about this at the IETF websec, so it is > somewhat convenient for it to be delayed a bit until I can hopefully resolve > that. > >> > >> Thanks, > >> > >> Brad > >> > >>> -----Original Message----- > >>> From: Carine Bournez [mailto:carine@w3.org] > >>> Sent: Monday, November 05, 2012 5:35 AM > >>> To: Hill, Brad > >>> Cc: Thomas Roessler (tlr@w3.org); public-webappsec@w3.org > >>> Subject: Please fix! [Pub request: FPWD of User Interface Safety > >>> Directives for CSP] > >>> > >>> > >>> Hi, > >>> It seems that the references sections are broken, several entries > >>> don't get properly generated, there is an extra Normative references > >>> section before the real generated References appendix. > >>> Could you please fix this ASAP? If not, we'll postpone publication > >>> to the next publication day (Thursday 8th). > >>> Thanks! > >>> > >>> > >>> On Fri, Oct 26, 2012 at 09:05:17PM +0000, Hill, Brad wrote: > >>>> Thomas, > >>>> > >>>> On behalf of the Web Application Security WG we request that the > >>>> User > >>> Interface Safety Directives for Content Security Policy transition > >>> to First Public Working Draft in the following location: > >>>> > >>>> User Interface Safety (UISafety) > >>>> http://www.w3.org/TR/2011/WD-UISafety-20121105/ > >>>> > >>>> This can be published effective immediately following the TPAC > >>>> blackout > >>> period. (Nov 5?) > >>>> > >>>> The abstract and scope may be found in the document itself at: > >>>> http://dvcs.w3.org/hg/user-interface-safety/raw-file/3e7ba0f12494/u > >>>> ser- > >>> interface-safety.html > >>>> > >>>> "This document defines directives for the Content Security Policy > >>> mechanism to declare a set of input protections for a web resource's > >>> user interface, defines a non-normative set of heuristics for Web > >>> user agents to implement these input protections, and a reporting > >>> mechanism for when they are triggered." > >>>> > >>>> "In some UI Redressing attacks (also known as Clickjacking), a > >>>> malicious web > >>> application presents a user interface of another web application in > >>> a manipulated context to the user, e.g. by partially obscuring the > >>> genuine user interface with opaque layers on top, hence tricking the > >>> user to click on a button out of context. > >>>> > >>>> "Existing anti-clickjacking measures including frame-busting codes > >>>> and X- > >>> Frame-Options are fundamentally incompatible with embeddable > >>> third-party widgets, and insufficient to defend against timing-based > attack vectors. > >>>> > >>>> "The User Interface Safety directives encompass the policies > >>>> defined in X- > >>> Frame-Options and also provide a new mechanism to allow web > >>> applications to enable heuristic input protections for its user interfaces > on user agents. > >>>> > >>>> "To mitigate UI redressing, for example, a web application can > >>>> request that > >>> a user interface element should be fully visible for a minimum > >>> period of time before a user input can be delivered. > >>>> > >>>> "The User Interface Safety directive can often be applied to > >>>> existing > >>> applications with few or no changes, but the heuristic hints > >>> supplied by the policy may require considerable experimental > >>> fine-tuning to achieve an acceptable error rate. > >>>> > >>>> "This specification obsoletes X-Frame-Options. Resources may supply > >>>> an X- > >>> Frame-Options header in addition to a Content-Security-Policy header > >>> to indicate policy to user agents that do not implement the > >>> directives in this specification. A user agent that understands the > >>> directives in this document should ignore the X-Frame-Options > >>> header, when present, if User Interface Safety directives are also > >>> present in a Content-Security-Policy header. This is to allow > >>> resources to only be embedded if the mechanisms described in this > >>> specification are enforced, and more restrictive X-Frame-Options policies > applied otherwise." > >>>> > >>>> > >>>> > >>>> The WG has documented its agreement to advance this document by > >>> issuing a Call for Consensus and receiving no objections, > >>> http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0088.ht > >>> ml and recorded its formal decision to advance in the minutes of its > >>> most recent teleconference here: > >>> http://www.w3.org/2011/webappsec/minutes/webappsec-minutes-23- > Oct- > >>> 2012.html > >>>> > >>>> Thank you, > >>>> > >>>> Brad Hill > >
Received on Tuesday, 20 November 2012 00:33:33 UTC