W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2013

Re: [webappsec] Call for Consensus: UISecurity to Last Call Working Draft

From: Hill, Brad <bhill@paypal.com>
Date: Tue, 3 Dec 2013 01:27:23 +0000
To: "Oda, Terri" <terri.oda@intel.com>
CC: Anne van Kesteren <annevk@annevk.nl>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <61DFB79A-05C1-47F8-BBA3-9365457BAE80@paypal.com>
It does als encompass (currently) the frame-options directive, which governs under what embedding circumstances the user agent should deliver (output?) a UI at all.

On Dec 2, 2013, at 4:35 PM, Oda, Terri <terri.oda@intel.com> wrote:

> Is UISecurity really the best name for this?  The focus seems to be on
> input protection, but typically a UI is considered both input and
> output, but unless I'm mis-reading it, this doesn't seem to do much
> output protection (although I suppose there would be potential for
> layout protection/enforcement based on the heuristics described, it
> doesn't appear that such protections are the goal).  Maybe the title
> of this document should be something a bit more precise such as "input
> security" or "clickjacking mitigation" to make the purpose of these
> directives more clear to new readers?
Received on Thursday, 5 December 2013 21:53:20 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:35 UTC