- From: Dan Kaminsky <dan@doxpara.com>
- Date: Mon, 22 Feb 2016 01:05:45 -0800
- To: Brad Hill <hillbrad@gmail.com>
- Cc: Bil Corry <bil@corry.biz>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Monday, 22 February 2016 09:06:15 UTC
Perhaps true, but there's wide classes of interactions that cannot be secured without address bar management. I'm hoping to have a usable test platform including this feature in the next 4-6 weeks. Where I think everyone would agree is that this feature needs user data before approval in a way normal features might not. On Sunday, February 21, 2016, Brad Hill <hillbrad@gmail.com> wrote: > These kinds of decisions have proven in practice to be beyond the ability > of groups like ours to specify well. Our intuituons about users' > understandings are not as good as data, may not be universal, or may need > different treatment on different devices and experiences. With my editor > hat on, I'm inclined to leave this to each UA to experiment with and > determine what is best for their userbase. > > -Brad > > On Sat, Feb 13, 2016, 5:21 AM Bil Corry <bil@corry.biz > <javascript:_e(%7B%7D,'cvml','bil@corry.biz');>> wrote: > >> Hi, >> >> i was reviewing the UI Security draft [1] and wondered if there were >> plans to incorporate IronFrame's URL indicator for the iframe domain [2]. >> That is to say, will a user be able to see the URL of the iframe that is in >> focus? >> >> Thanks, >> >> - Bil >> >> >> [1] http://w3c.github.io/webappsec-uisecurity/ >> >> [2] Slide 72: >> http://dankaminsky.com/2015/08/09/defcon-23-lets-end-clickjacking/ >> >
Received on Monday, 22 February 2016 09:06:15 UTC