Re: new CSP draft.

On Tue, Jan 12, 2016 at 12:55 AM, Oda, Terri <terri.oda@intel.com> wrote:

> On the subject of smaller nits...
>
> In section 1.2, you say:
>
> "Mitigate the risk of attacks which require a resource to be embedded in a
> malicious context ("Pixel Perfect", etc) by giving developers granular
> control over the origins which can embed a given resource."
>
> I'm not sure what you meant by "Pixel Perfect" -- are you referring to the
> Firefox plugin or something else?  I'm betting if it wasn't immediately
> clear to me, it won't be clear to other readers either, and a quick web
> search mostly yielded a bunch of hits for some Disney movie whose plot
> doesn't seem to involve teaching teens about good web security policy. ;)
>

I'm talking about the timing attacks described in
http://www.contextis.com/documents/2/Browser_Timing_Attacks.pdf. I've
clarified things (hopefully!) in
https://github.com/w3c/webappsec-csp/commit/4b5e4850964a3b1bbcb6d669a2dec4307334624b,
thanks!

-mike

Received on Tuesday, 12 January 2016 09:25:45 UTC