W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2016

Re: [UI Security] iframe URL indicator

From: Dan Kaminsky <dan@doxpara.com>
Date: Mon, 22 Feb 2016 01:05:45 -0800
Message-ID: <CAEW7ACkhbaxobSyA_=njYMFwJefaiZi0wHu+7h5zjCJk-xg=QA@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: Bil Corry <bil@corry.biz>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Perhaps true, but there's wide classes of interactions that cannot be
secured without address bar management. I'm hoping to have a usable test
platform including this feature in the next 4-6 weeks.  Where I think
everyone would agree is that this feature needs user data before approval
in a way normal features might not.

On Sunday, February 21, 2016, Brad Hill <hillbrad@gmail.com> wrote:

> These kinds of decisions have proven in practice to be beyond the ability
> of groups like ours to specify well.  Our intuituons about users'
> understandings are not as good as data, may not be universal, or may need
> different treatment on different devices and experiences.  With my editor
> hat on, I'm inclined to leave this to each UA to experiment with and
> determine what is best for their userbase.
>
> -Brad
>
> On Sat, Feb 13, 2016, 5:21 AM Bil Corry <bil@corry.biz
> <javascript:_e(%7B%7D,'cvml','bil@corry.biz');>> wrote:
>
>> Hi,
>>
>> i was reviewing the UI Security draft [1] and wondered if there were
>> plans to incorporate IronFrame's URL indicator for the iframe domain [2].
>> That is to say, will a user be able to see the URL of the iframe that is in
>> focus?
>>
>> Thanks,
>>
>> - Bil
>>
>>
>> [1] http://w3c.github.io/webappsec-uisecurity/
>>
>> [2] Slide 72:
>> http://dankaminsky.com/2015/08/09/defcon-23-lets-end-clickjacking/
>>
>
Received on Monday, 22 February 2016 09:06:15 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC