- From: Fred Andrews <fredandw@live.com>
- Date: Wed, 12 Sep 2012 12:40:37 +0000
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <BLU002-W193D3E42C0D90F22EA52E07AA920@phx.gbl>
Some more challenges for the UI Safety obstruction check. * Widgets implemented by multiple embedded frames that work together and can overlap under normal operation. For example, the website http://googlewebmastercentral.blogspot.com/ embeds google+1 buttons but these are not embedded in the manner anticipated by the UI Safety proposal and can trip ClearClick and would likely causes problems for the Obstruction test too. It appears that top level document JS inserts the iframes for the widget when it finds a <g:plusone> element - one iframe has the button and comment and the other is a hover frame with suggestions which can overlap the button. Both of these iframes are direct children of the top level document. Protecting +1 or 'like' buttons would appear to be one of the goals of this proposal yet it seems problematic for this popular button. It's is not clear that there is a solution to this issue, apart from restricting the input protection to apply to lone widgets. Note that this same website implements the Twitter and Facebook buttons as plane navigation buttons, not as functional widgets! Personally these widgets seem like marketing toys and a land grab and the best solution we could offer users for a safe UI would be to limit these widgets to navigation buttons - they could still be functional but would be expected to navigate to there own safe website for any secure operations, and would be expected to fall back to being simple navigation buttons if JS is disabled. * CSS transforms may frustrate the Obstruction check. CSS transforms in the parent DOM can effect the rendering of the widget and it is not clear if the Obstruction check can deal with this. The screen image as seen from the top document may be significantly different to screen image seen from the widgets document without the transforms. It is not unrealistic to expect some websites to want to customize the placement of widgets with a translation, scale, or even a perspective transform. The test used by ClearClick fails even for a translation. Perhaps the algorithm could be adapted, applying the widget frames current transform matrix to the widget document and also to the bounding box used for comparison, but this does seem like a research project. cheers Fred
Received on Wednesday, 12 September 2012 12:41:09 UTC