W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2013

Re: Cross-domain information leak with UI Security Directives

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Tue, 11 Jun 2013 10:00:11 -0700
Message-ID: <CAPfop_3L2e=2MGiPyumkOsV1U+WBvTRzD9+Y0R_HYnesDFDEUw@mail.gmail.com>
To: David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
Cc: Peleus Uhley <puhley@adobe.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> If so then attacker.com will happily not opt-in and the defense would never
> be enabled :(

yes, and the website in question can switch to other fraud
detection/prevention mechanisms such as a longer flow. For example, it
could open a new window, with a manual delay and ask for a second
click. I envision it being similar to how implementors will support
legacy browsers. We will need a way for code to figure out that all
other principals on the canvas opted-in and UISecurity is enabled.

Received on Tuesday, 11 June 2013 17:00:59 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:33 UTC