- From: Thomas Roessler <tlr@w3.org>
- Date: Fri, 26 Oct 2012 23:12:54 +0200
- To: "Hill, Brad" <bhill@paypal-inc.com>
- Cc: "chairs@w3.org" <chairs@w3.org>, "w3t-comm@w3.org" <w3t-comm@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-Id: <B57010B1-4201-4F76-84B8-76277DC5633C@w3.org>
Thanks, Brad, for the (transition and) publication request. FPWD transition and shortname approved. -- Thomas Roessler, W3C <tlr@w3.org> (@roessler) On 2012-10-26, at 23:05 +0200, "Hill, Brad" <bhill@paypal-inc.com> wrote: > Thomas, > > On behalf of the Web Application Security WG we request that the User Interface Safety Directives for Content Security Policy transition to First Public Working Draft in the following location: > > User Interface Safety (UISafety) > http://www.w3.org/TR/2011/WD-UISafety-20121105/ > > This can be published effective immediately following the TPAC blackout period. (Nov 5?) > > The abstract and scope may be found in the document itself at: > http://dvcs.w3.org/hg/user-interface-safety/raw-file/3e7ba0f12494/user-interface-safety.html > > “This document defines directives for the Content Security Policy mechanism to declare a set of input protections for a web resource's user interface, defines a non-normative set of heuristics for Web user agents to implement these input protections, and a reporting mechanism for when they are triggered.” > > “In some UI Redressing attacks (also known as Clickjacking), a malicious web application presents a user interface of another web application in a manipulated context to the user, e.g. by partially obscuring the genuine user interface with opaque layers on top, hence tricking the user to click on a button out of context. > > “Existing anti-clickjacking measures including frame-busting codes and X-Frame-Options are fundamentally incompatible with embeddable third-party widgets, and insufficient to defend against timing-based attack vectors. > > “The User Interface Safety directives encompass the policies defined in X-Frame-Options and also provide a new mechanism to allow web applications to enable heuristic input protections for its user interfaces on user agents. > > “To mitigate UI redressing, for example, a web application can request that a user interface element should be fully visible for a minimum period of time before a user input can be delivered. > > “The User Interface Safety directive can often be applied to existing applications with few or no changes, but the heuristic hints supplied by the policy may require considerable experimental fine-tuning to achieve an acceptable error rate. > > “This specification obsoletes X-Frame-Options. Resources may supply an X-Frame-Options header in addition to a Content-Security-Policy header to indicate policy to user agents that do not implement the directives in this specification. A user agent that understands the directives in this document should ignore the X-Frame-Options header, when present, if User Interface Safety directives are also present in a Content-Security-Policy header. This is to allow resources to only be embedded if the mechanisms described in this specification are enforced, and more restrictive X-Frame-Options policies applied otherwise.” > > > > The WG has documented its agreement to advance this document by issuing a Call for Consensus and receiving no objections,http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0088.html and recorded its formal decision to advance in the minutes of its most recent teleconference here: http://www.w3.org/2011/webappsec/minutes/webappsec-minutes-23-Oct-2012.html > > Thank you, > > Brad Hill > >
Received on Friday, 26 October 2012 21:13:03 UTC