Pub request: FPWD of User Interface Safety Directives for CSP


On behalf of the Web Application Security WG we request that the User Interface Safety Directives for Content Security Policy transition to First Public Working Draft in the following location:

User Interface Safety (UISafety)

This can be published effective immediately following the TPAC blackout period.  (Nov 5?)

The abstract and scope may be found in the document itself at:

"This document defines directives for the Content Security Policy mechanism to declare a set of input protections for a web resource's user interface, defines a non-normative set of heuristics for Web user agents to implement these input protections, and a reporting mechanism for when they are triggered."

"In some UI Redressing attacks (also known as Clickjacking), a malicious web application presents a user interface of another web application in a manipulated context to the user, e.g. by partially obscuring the genuine user interface with opaque layers on top, hence tricking the user to click on a button out of context.

"Existing anti-clickjacking measures including frame-busting codes and X-Frame-Options are fundamentally incompatible with embeddable third-party widgets, and insufficient to defend against timing-based attack vectors.

"The User Interface Safety directives encompass the policies defined in X-Frame-Options and also provide a new mechanism to allow web applications to enable heuristic input protections for its user interfaces on user agents.

"To mitigate UI redressing, for example, a web application can request that a user interface element should be fully visible for a minimum period of time before a user input can be delivered.

"The User Interface Safety directive can often be applied to existing applications with few or no changes, but the heuristic hints supplied by the policy may require considerable experimental fine-tuning to achieve an acceptable error rate.

"This specification obsoletes X-Frame-Options. Resources may supply an X-Frame-Options header in addition to a Content-Security-Policy header to indicate policy to user agents that do not implement the directives in this specification. A user agent that understands the directives in this document should ignore the X-Frame-Options header, when present, if User Interface Safety directives are also present in a Content-Security-Policy header. This is to allow resources to only be embedded if the mechanisms described in this specification are enforced, and more restrictive X-Frame-Options policies applied otherwise."

The WG has documented its agreement to advance this document by issuing a Call for Consensus and receiving no objections, and recorded its formal decision to advance in the minutes of its most recent teleconference here:

Thank you,

Brad Hill

Received on Friday, 26 October 2012 21:05:51 UTC