- From: Mike West <mkwst@google.com>
- Date: Tue, 12 Jan 2016 10:24:56 +0100
- To: "Oda, Terri" <terri.oda@intel.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Tuesday, 12 January 2016 09:25:45 UTC
On Tue, Jan 12, 2016 at 12:55 AM, Oda, Terri <terri.oda@intel.com> wrote:
> On the subject of smaller nits...
>
> In section 1.2, you say:
>
> "Mitigate the risk of attacks which require a resource to be embedded in a
> malicious context ("Pixel Perfect", etc) by giving developers granular
> control over the origins which can embed a given resource."
>
> I'm not sure what you meant by "Pixel Perfect" -- are you referring to the
> Firefox plugin or something else? I'm betting if it wasn't immediately
> clear to me, it won't be clear to other readers either, and a quick web
> search mostly yielded a bunch of hits for some Disney movie whose plot
> doesn't seem to involve teaching teens about good web security policy. ;)
>
I'm talking about the timing attacks described in
http://www.contextis.com/documents/2/Browser_Timing_Attacks.pdf. I've
clarified things (hopefully!) in
https://github.com/w3c/webappsec-csp/commit/4b5e4850964a3b1bbcb6d669a2dec4307334624b,
thanks!
-mike
Received on Tuesday, 12 January 2016 09:25:45 UTC