W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

Re: new CSP draft.

From: Mike West <mkwst@google.com>
Date: Tue, 12 Jan 2016 10:24:56 +0100
Message-ID: <CAKXHy=fJXncB=Z9TVNppdPCmQQ5xFvSHgrKtNcvZquzKsz50Pg@mail.gmail.com>
To: "Oda, Terri" <terri.oda@intel.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Jan 12, 2016 at 12:55 AM, Oda, Terri <terri.oda@intel.com> wrote:

> On the subject of smaller nits...
>
> In section 1.2, you say:
>
> "Mitigate the risk of attacks which require a resource to be embedded in a
> malicious context ("Pixel Perfect", etc) by giving developers granular
> control over the origins which can embed a given resource."
>
> I'm not sure what you meant by "Pixel Perfect" -- are you referring to the
> Firefox plugin or something else?  I'm betting if it wasn't immediately
> clear to me, it won't be clear to other readers either, and a quick web
> search mostly yielded a bunch of hits for some Disney movie whose plot
> doesn't seem to involve teaching teens about good web security policy. ;)
>

I'm talking about the timing attacks described in
http://www.contextis.com/documents/2/Browser_Timing_Attacks.pdf. I've
clarified things (hopefully!) in
https://github.com/w3c/webappsec-csp/commit/4b5e4850964a3b1bbcb6d669a2dec4307334624b,
thanks!

-mike
Received on Tuesday, 12 January 2016 09:25:45 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:17 UTC