Re: [UI Security] iframe URL indicator from Brad Hill on 2016-02-22 (public-webappsec@w3.org from February 2016)

From: Brad Hill <hillbrad@gmail.com>
Date: Mon, 22 Feb 2016 04:59:09 +0000
To: Bil Corry <bil@corry.biz>, public-webappsec@w3.org
Message-ID: <CAEeYn8iXw2oUa0idKUf5RPyovXJPB7zt9wOawzV8MSKvCeDx4A@mail.gmail.com>

These kinds of decisions have proven in practice to be beyond the ability
of groups like ours to specify well.  Our intuituons about users'
understandings are not as good as data, may not be universal, or may need
different treatment on different devices and experiences.  With my editor
hat on, I'm inclined to leave this to each UA to experiment with and
determine what is best for their userbase.

-Brad

On Sat, Feb 13, 2016, 5:21 AM Bil Corry <bil@corry.biz> wrote:

> Hi,
>
> i was reviewing the UI Security draft [1] and wondered if there were plans
> to incorporate IronFrame's URL indicator for the iframe domain [2].  That
> is to say, will a user be able to see the URL of the iframe that is in
> focus?
>
> Thanks,
>
> - Bil
>
>
> [1] http://w3c.github.io/webappsec-uisecurity/
>
> [2] Slide 72:
> http://dankaminsky.com/2015/08/09/defcon-23-lets-end-clickjacking/
>

Received on Monday, 22 February 2016 04:59:48 UTC