W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2015

[webappsec] new UISecurity draft, based on IronFrame and IntersectionObserver

From: Brad Hill <hillbrad@gmail.com>
Date: Thu, 03 Dec 2015 23:37:33 +0000
Message-ID: <CAEeYn8gODpUmkY8EmMxz+YR_OWBmhF1brZr1Ssk76HXY3dYXag@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>, Dan Kaminsky <dan@whiteops.com>, Alex Russell <slightlyoff@google.com>, mpb@google.com
I've finally got a new UISecurity draft based on the Observer API pattern
up in its own repository and available for review!

http://w3c.github.io/webappsec-uisecurity/
https://github.com/w3c/webappsec-uisecurity

The updated spec takes the core idea of Kaminsky's IronFrame and puts it in
an API context that looks very similar to IntersectionObserver.  Some key
differences are described in a note in the introduction section.  This spec
also introduces a declarative API through a Content Security Policy
directive, implemented in terms of the observer internals.
IntersectionObserver is a great concept and API, but I think it meets
primarily advertising use cases, and doesn't really solve many common
clickjacking attacks.

Feedback would be *greatly* appreciated.

-Brad Hill (as editor)
Received on Thursday, 3 December 2015 23:38:11 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:16 UTC