Re: UI Safety Obstruction check and transforms from Mountie Lee on 2012-11-28 (public-webappsec@w3.org from November 2012)

From: Mountie Lee <mountie.lee@mw2.or.kr>
Date: Wed, 28 Nov 2012 00:54:22 -0800
To: David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
Cc: Fred Andrews <fredandw@live.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAE-+aYLU0M0WV3GM7he7o6b6p6x3_a97pS8hu1iJjRJEV8vNHg@mail.gmail.com>

Hi.
is there any consideration using cryptography technology to detect and
protect obstruction in WebApp WG?
WebCrypto API is handling crypto tech in UA level.
but does not approach protecting UA environment.

these type of concerns are raised also in WebAppSec WG (mentioned in CSP
version 1.1 as experimental)

regards
mountie.

On Wed, Nov 28, 2012 at 12:22 AM, David Lin-Shung Huang <
linshung.huang@sv.cmu.edu> wrote:

> Hi Fred,
>
> In Section 4 of the draft, the proposed "unsafe" boolean flag in the
> UIEvent object signals the webpage that obstruction was detected by the
> UA (whether it was caused by an attack or a benign transform). This allows
> the webpage to react with an extra confirmation dialog, or implement other
> custom fallbacks.
>
> Thanks,
> David
>
>
> On Wed, Nov 21, 2012 at 2:21 AM, Fred Andrews <fredandw@live.com> wrote:
>
>> The issue of transforms applied to an element receiving an event has been
>> discussed before and the opinion offered was that transformed elements are
>> not supported.   Given that an element needs to be non-transformed to pass
>> the obstruction check perhaps it would be appropriate to support elements
>> being presented without transforms when about to receive events.  The use
>> case would be to support rich UI designs that still offer UI safety.
>>
>> For example, consider a UI that docks social widgets at the side of a
>> page and scales them down and applies a perspective transform for effect.
>> If input protection has been requested then these widgets would need to be
>> presented unscaled and without the transform to pass the obstruction check.
>>
>> Could a UA recognize the issue and present the element in a little popup
>> when hovering over it, or could the UA apply an extra confirmation step
>> when an obstruction is detected and present the element unscaled and
>> without the transform for confirmation?   If so then perhaps an
>> implementation note of the possibilities would be appropriate.
>>
>> Might it be appropriate to signal an event that the webpage could use to
>> implement such presentation itself, with a default left to the UA?  If so
>> then the spec. would presumably need to define this event.
>>
>> For the case of a docked widget, a two step process would not be an
>> unreasonable UI design, and is there enough support for webpage designers
>> to be able to implement such a design.
>>
>> cheers
>> Fred
>>
>>
>


-- 
Mountie Lee

PayGate
CTO, CISSP
Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net

=======================================
PayGate Inc.
THE STANDARD FOR ONLINE PAYMENT
for Korea, Japan, China, and the World

Received on Wednesday, 28 November 2012 08:55:09 UTC