W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2015

[webappsec] new UISecurity draft, based on IronFrame and IntersectionObserver

From: Brad Hill <hillbrad@gmail.com>
Date: Thu, 03 Dec 2015 23:37:33 +0000
Message-ID: <CAEeYn8gODpUmkY8EmMxz+YR_OWBmhF1brZr1Ssk76HXY3dYXag@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>, Dan Kaminsky <dan@whiteops.com>, Alex Russell <slightlyoff@google.com>, mpb@google.com
I've finally got a new UISecurity draft based on the Observer API pattern
up in its own repository and available for review!


The updated spec takes the core idea of Kaminsky's IronFrame and puts it in
an API context that looks very similar to IntersectionObserver.  Some key
differences are described in a note in the introduction section.  This spec
also introduces a declarative API through a Content Security Policy
directive, implemented in terms of the observer internals.
IntersectionObserver is a great concept and API, but I think it meets
primarily advertising use cases, and doesn't really solve many common
clickjacking attacks.

Feedback would be *greatly* appreciated.

-Brad Hill (as editor)
Received on Thursday, 3 December 2015 23:38:11 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:53 UTC