W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2013

Re: Cross-domain information leak with UI Security Directives

From: David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
Date: Mon, 10 Jun 2013 21:08:49 -0700
Message-ID: <CAGiwpwgQB8GKO=qPhjfZwDi0tFd5_KYD3GpH=-AbqTarSAteCQ@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Peleus Uhley <puhley@adobe.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Jun 10, 2013 at 8:37 PM, Devdatta Akhawe <dev.akhawe@gmail.com>wrote:

> > The primary concern with this issue is that it would
> > be a by-default information leak in the browser that
> > sites would have to take action to protect themselves
> > against it. Do we think that this risk merits a change
> > to the spec? Any additional ideas or concerns?
>
> I think this is the key concern: we are adding a whole new "default
> insecure" threat for legacy web applications who might have no idea
> what is happening in the world of webappsec. Instead, may I suggest
> that the UI security spec is only enforced if both the security
> principals in question have opted-in to trusting each other via an
> appropriate X-Frame-Options (or csp frame-options) and csp frame-src
> directive. If not enforcement, the reporting is only enforced if both
> principals opt-in ?
>

If so then attacker.com will happily not opt-in and the defense would never
be enabled :(


> I am not sure how practical this is (if at all)  for the web
> applications the specification targets.
>
> regards
> Dev
>
>
Received on Tuesday, 11 June 2013 04:09:23 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC