W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

Re: [webappsec] ISSUE-53: UISecurity input-protection heuristic for composited rendering

From: Giorgio Maone <g.maone@informaction.com>
Date: Wed, 23 Oct 2013 00:13:09 +0200
Message-ID: <5266F875.2030403@informaction.com>
To: Brad Hill <hillbrad@gmail.com>, David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>, robert@ocallahan.org
On 15/10/2013 00:38, Brad Hill wrote:
> So, there is no way to get the final rendering, even for the
> compositor thread managing the outermost document?  :/   You can't
> read the pixels back from the GPU when you know you have a hit to a
> protected region?
> Also:  thoughts on whether we should keep the clipping rectangle
> around the hit, or just allow element selectors only?
I think before giving up we should ask some browser folks actually well
versed in their layout/rendering implementations to chime in and tell us
whether what we're trying to accomplish is more or less viable, and/or
if there's a better approach to achieve the same goals.

Also, since the protection is opt-in, *maybe* a trade of between
rendering performance and security would be acceptable, if properly

As a start I'm CCing Robert  O' Callahan, who IIRC works or used to work
on Mozilla's gfx internals: could you please take a look at


? Any comments/suggestions? Many thanks in advance!

Also if you know any other field expert from
Mozilla/Google/Apple/Microsoft who may want to help, please let us know.

Thank you
-- G
Received on Tuesday, 22 October 2013 22:13:33 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:35 UTC