W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2013

Re: Cross-domain information leak with UI Security Directives

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Mon, 10 Jun 2013 20:37:30 -0700
Message-ID: <CAPfop_1RLMk46_dpSojft6RpKso+762udNMe_LStWAr69BaQXA@mail.gmail.com>
To: Peleus Uhley <puhley@adobe.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
> The primary concern with this issue is that it would
> be a by-default information leak in the browser that
> sites would have to take action to protect themselves
> against it. Do we think that this risk merits a change
> to the spec? Any additional ideas or concerns?

I think this is the key concern: we are adding a whole new "default
insecure" threat for legacy web applications who might have no idea
what is happening in the world of webappsec. Instead, may I suggest
that the UI security spec is only enforced if both the security
principals in question have opted-in to trusting each other via an
appropriate X-Frame-Options (or csp frame-options) and csp frame-src
directive. If not enforcement, the reporting is only enforced if both
principals opt-in ?

I am not sure how practical this is (if at all)  for the web
applications the specification targets.

Received on Tuesday, 11 June 2013 03:38:17 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:33 UTC