I've finally got a new UISecurity draft based on the Observer API pattern
up in its own repository and available for review!
http://w3c.github.io/webappsec-uisecurity/
https://github.com/w3c/webappsec-uisecurity
The updated spec takes the core idea of Kaminsky's IronFrame and puts it in
an API context that looks very similar to IntersectionObserver. Some key
differences are described in a note in the introduction section. This spec
also introduces a declarative API through a Content Security Policy
directive, implemented in terms of the observer internals.
IntersectionObserver is a great concept and API, but I think it meets
primarily advertising use cases, and doesn't really solve many common
clickjacking attacks.
Feedback would be *greatly* appreciated.
-Brad Hill (as editor)