user-interface-safety.html
author bhill2
Thu, 17 Apr 2014 22:52:29 +0000
changeset 31 cdfe8d12ba6b
parent 30 eeb5fc3a054e
child 33 902257e1fe71
permissions -rw-r--r--
fixed section numbering issue and reference to obsolete frame-options directive
0
6834f5e73e7b Checking in Brad's initial draft
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents:
diff changeset
     1
<!DOCTYPE html>
6834f5e73e7b Checking in Brad's initial draft
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents:
diff changeset
     2
<html>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
     3
<head>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
     4
  <!--link href="http://www.w3.org/StyleSheets/TR/W3C-ED" rel="stylesheet" type="text/css" charset="utf-8"-->
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
     5
  <title>User Interface Security Directives for Content Security Policy</title>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
     6
  <meta http-equiv="content-type" content="text/html; charset=UTF-8">
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
     7
  <!--
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
     8
  === NOTA BENE ===
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
     9
  For the three scripts below, if your spec resides on dev.w3 you can check them
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
    10
  out in the same tree and use relative links so that they'll work offline,
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
    11
  -->
30
eeb5fc3a054e use canonical respec.js
bhill2
parents: 29
diff changeset
    12
  <script src='https://www.w3.org/Tools/respec/respec-w3c-common' class='remove' async></script>
eeb5fc3a054e use canonical respec.js
bhill2
parents: 29
diff changeset
    13
  <!--script src='js/respec-w3c-common.js' class='remove' async></script-->
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
    14
  <script type="text/javascript" class="remove">
0
6834f5e73e7b Checking in Brad's initial draft
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents:
diff changeset
    15
      var respecConfig = {
3
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    16
        // specification status (e.g. WD, LCWD, NOTE, etc.). If in doubt use ED.
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    17
        // Member-SUBM
29
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
    18
        specStatus: "LC",
0
6834f5e73e7b Checking in Brad's initial draft
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents:
diff changeset
    19
3
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    20
        // the specification's short name, as in http://www.w3.org/TR/short-name/
15
58d25d8b72e1 incorporate edits from W3C team
bhill@L-SJN-00530327.corp.ebay.com
parents: 14
diff changeset
    21
        shortName:  "UISecurity",
0
6834f5e73e7b Checking in Brad's initial draft
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents:
diff changeset
    22
3
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    23
        // if your specification has a subtitle that goes below the main
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    24
        // formal title, define it here
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    25
        // subtitle   :  "an excellent document",
0
6834f5e73e7b Checking in Brad's initial draft
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents:
diff changeset
    26
3
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    27
        // if you wish the publication date to be other than today, set this
29
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
    28
        publishDate:  "2014-03-18",
0
6834f5e73e7b Checking in Brad's initial draft
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents:
diff changeset
    29
3
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    30
        // if the specification's copyright date is a range of years, specify
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    31
        // the start date here:
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    32
        copyrightStart: "2012",
0
6834f5e73e7b Checking in Brad's initial draft
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents:
diff changeset
    33
3
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    34
        // if there is a previously published draft, uncomment this and set its YYYY-MM-DD date
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    35
        // and its maturity status
29
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
    36
        previousPublishDate:  "2013-05-23",
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
    37
        previousMaturity:  "WD",
0
6834f5e73e7b Checking in Brad's initial draft
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents:
diff changeset
    38
3
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    39
        // if there a publicly available Editor's Draft, this is the link
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    40
        edDraftURI: "http://dvcs.w3.org/hg/user-interface-safety/raw-file/tip/user-interface-safety.html",
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    41
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    42
        // if this is a LCWD, uncomment and set the end of its review period
29
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
    43
        lcEnd: "2014-06-18",
3
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    44
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    45
        // if you want to have extra CSS, append them to this list
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    46
        // it is recommended that the respec.css stylesheet be kept
21
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
    47
        //extraCSS: ["css/respec.css"],
3
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    48
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    49
        // editors, add as many as you like
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    50
        // only "name" is required
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    51
        editors:  [
7
4076f83eb939 Major update to input-protection and some typo fixes
Giorgio Maone <giorgio@maone.net>
parents: 6
diff changeset
    52
          { name: "Giorgio Maone", url: "http://maone.net/",
3
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    53
            company: "Invited Expert", companyURL: "" },
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
    54
          { name: "David Lin-Shung Huang", url: "mailto:linshung.huang@sv.cmu.edu",
3
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    55
            company: "Carnegie Mellon University", companyURL: "http://www.cmu.edu/" },
14
ca2e54aaf765 Updated references, some A11Y language.
bhill@L-SJN-00530327.corp.ebay.com
parents: 13
diff changeset
    56
	  { name: "Tobias Gondrom", url: "mailto:tobias.gondrom@gondrom.org", company: "Invited Expert" },
3
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    57
          { name: "Brad Hill", url: "mailto:bhill@paypal-inc.com",
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    58
            company: "PayPal Inc.", companyURL: "https://www.paypal.com/" },
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    59
        ],
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    60
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    61
        // authors, add as many as you like. 
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    62
        // This is optional, uncomment if you have authors as well as editors.
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    63
        // only "name" is required. Same format as editors.
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    64
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    65
        //authors:  [
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    66
        //    { name: "Your Name", url: "http://example.org/",
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    67
        //      company: "Your Company", companyURL: "http://example.com/" },
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    68
        //],
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    69
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    70
        // name of the WG
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    71
        wg:           "Web Application Security Working Group",
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    72
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    73
        // URI of the public WG page
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    74
        wgURI:        "http://www.w3.org/2011/webappsec/",
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    75
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    76
        // name (with the @w3c.org) of the public mailing to which comments are due
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    77
        wgPublicList: "public-webappsec",
0
6834f5e73e7b Checking in Brad's initial draft
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents:
diff changeset
    78
6834f5e73e7b Checking in Brad's initial draft
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents:
diff changeset
    79
3
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    80
        // URI of the patent status for this WG, for Rec-track documents
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    81
        // !!!! IMPORTANT !!!!
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    82
        // This is important for Rec-track documents, do not copy a patent URI from a random
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    83
        // document unless you know what you're doing. If in doubt ask your friendly neighbourhood
360305a4586b Making some changes through Section 3.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 2
diff changeset
    84
        // Team Contact.
14
ca2e54aaf765 Updated references, some A11Y language.
bhill@L-SJN-00530327.corp.ebay.com
parents: 13
diff changeset
    85
        wgPatentURI:  "http://www.w3.org/2004/01/pp-impl/49309/status",
ca2e54aaf765 Updated references, some A11Y language.
bhill@L-SJN-00530327.corp.ebay.com
parents: 13
diff changeset
    86
ca2e54aaf765 Updated references, some A11Y language.
bhill@L-SJN-00530327.corp.ebay.com
parents: 13
diff changeset
    87
ca2e54aaf765 Updated references, some A11Y language.
bhill@L-SJN-00530327.corp.ebay.com
parents: 13
diff changeset
    88
	// local bibliography
ca2e54aaf765 Updated references, some A11Y language.
bhill@L-SJN-00530327.corp.ebay.com
parents: 13
diff changeset
    89
	localBiblio: {
ca2e54aaf765 Updated references, some A11Y language.
bhill@L-SJN-00530327.corp.ebay.com
parents: 13
diff changeset
    90
"CSP" : "B. Sterne and A. Barth <a href=\"http://www.w3.org/TR/CSP/\"><cite>Content Security Policy 1.0</cite></a>. W3C Candidate Recommendation. (Work in progress.) URL: <a href=\"http://www.w3.org/TR/2012/CR-CSP-20121115/\">http://www.w3.org/TR/2012/CR-CSP-20121115/</a>",
23
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
    91
"RFC7034" : "D. Ross and T. Gondrom, IETF <a href=\"http://tools.ietf.org/html/rfc7034\"><cite>HTTP Header X-Frame-Options</cite></a>. Internet RFC 7034 URL: <a href=\"http://tools.ietf.org/html/rfc7034\">http://tools.ietf.org/html/rfc7034</a>",
14
ca2e54aaf765 Updated references, some A11Y language.
bhill@L-SJN-00530327.corp.ebay.com
parents: 13
diff changeset
    92
"CLEARCLICK" : "G. Maone <a href=\"http://noscript.net/downloads/ClearClick_WAS2012_rv2.pdf\"><cite>ClearClick: Effective Client-Side Protection Against UI Redressing Attacks</cite></a>. (Work in progress.) URL: <a href=\"http://noscript.net/downloads/ClearClick_WAS2012_rv2.pdf\">http://noscript.net/downloads/ClearClick_WAS2012_rv2.pdf</a>",
ca2e54aaf765 Updated references, some A11Y language.
bhill@L-SJN-00530327.corp.ebay.com
parents: 13
diff changeset
    93
"UIREDRESS" : "M. Zalewski <a href=\"http://code.google.com/p/browsersec/wiki/Part2#Arbitrary_page_mashups_(UI_redressing)\"><cite>Browser Security Handbook, part 2</cite></a>. URL: <a href=\"http://code.google.com/p/browsersec/wiki/Part2#Arbitrary_page_mashups_(UI_redressing)\">http://code.google.com/p/browsersec/wiki/Part2#Arbitrary_page_mashups_(UI_redressing)</a>",
ca2e54aaf765 Updated references, some A11Y language.
bhill@L-SJN-00530327.corp.ebay.com
parents: 13
diff changeset
    94
"FRAMEBUSTING" : "Boneh, et al. <a href=\"http://seclab.stanford.edu/websec/framebusting/\"><cite>Busting frame busting: a study of clickjacking vulnerabilities at popular sites</cite></a>. URL: <a href=\"http://seclab.stanford.edu/websec/framebusting/\">http://seclab.stanford.edu/websec/framebusting/</a>",
21
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
    95
"MEDIACAPTURE":"D. Burnett, A. Bergkvist, C. Jennings and A. Narayanan <a href=\"http://www.w3.org/TR/mediacapture-streams/\"<cite>Media Capture and Streams</cite></a>. W3C Working Draft (Work in progress.) URL: <a href=\"http://www.w3.org/TR/mediacapture-streams/\">http://www.w3.org/TR/mediacapture-streams/</a>",
20
7128910baa5c Updated WebIDL definitions and references to CSP 1.1
bhill@L-SJN-00530327.corp.ebay.com
parents: 19
diff changeset
    96
"INCONTEXT" : "Lin-Shung Huang, et al. <a href=\"https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final39.pdf\"><cite>Clickjacking:Attacks and Defenses</cite></a> published in the 21st USENIX Security Symposium Proceedings.  URL: <a href=\"https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final39.pdf\">https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final39.pdf</a>","SELECTORS4" : "Elika J. Etemad. <a href=\"http://www.w3.org/TR/2011/WD-selectors4-20110929/\"><cite>Selectors Level 4.</cite></a> 29 September 2011. W3C Working Draft. (Work in progress.) URL: <a href=\"http://www.w3.org/TR/2011/WD-selectors4-20110929/\">http://www.w3.org/TR/2011/WD-selectors4-20110929/</a>","POINTER-EVENTS" : "Jacob Rossi and Matt Brubeck. <a href=\"http://www.w3.org/TR/pointerevents/\"><cite>Pointer Events.</cite></a> 19 February 2013 W3C Working Draft. (Work in progress.) URL: <a href=\"http://www.w3.org/TR/pointerevents/\">http://www.w3.org/TR/pointerevents/</a>", "CAPTCHA-Wikipedia" : "Wikipedia <a href=\"http://en.wikipedia.org/wiki/CAPTCHA\"><cite>CAPTCHA</cite></a> from Wikipedia. URL: <a href=\"http://en.wikipedia.org/wiki/CAPTCHA\">http://en.wikipedia.org/wiki/CAPTCHA</a>", "CLICKJACKING-Unresolved" : "Lin-Shung Huang and Collin Jackson. <a href=\"https://docs.google.com/document/pub?id=1hVcxPeCidZrM5acFH9ZoTYzg1D0VjkG3BDW_oUdn5qc\"><cite>Clickjacking Attacks Unresolved.</cite></a> Carnegie Mellon University, 06 July 2011. URL: <a href=\"https://docs.google.com/document/pub?id=1hVcxPeCidZrM5acFH9ZoTYzg1D0VjkG3BDW_oUdn5qc\">https://docs.google.com/document/pub?id=1hVcxPeCidZrM5acFH9ZoTYzg1D0VjkG3BDW_oUdn5qc</a>","CSP11" : "A. Barth, D. Veditz and M. West <a href=\"https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html\"><cite>Content Security Policy 1.1</cite></a>. W3C Editors' Draft. (Work in progress.) URL: <a href=\"https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html\">https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html</a>" 
14
ca2e54aaf765 Updated references, some A11Y language.
bhill@L-SJN-00530327.corp.ebay.com
parents: 13
diff changeset
    97
		     }
ca2e54aaf765 Updated references, some A11Y language.
bhill@L-SJN-00530327.corp.ebay.com
parents: 13
diff changeset
    98
ca2e54aaf765 Updated references, some A11Y language.
bhill@L-SJN-00530327.corp.ebay.com
parents: 13
diff changeset
    99
0
6834f5e73e7b Checking in Brad's initial draft
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents:
diff changeset
   100
      };
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   101
  </script>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   102
</head>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   103
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   104
<body>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   105
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   106
<section id=abstract>
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   107
24
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   108
<p>This document defines directives for the Content Security Policy mechanism to
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   109
declare a set of input protections for a web resource's user interface, defines 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   110
a non-normative set of heuristics for Web user agents to implement these input 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   111
protections, and a reporting mechanism for when they are triggered. </p>
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   112
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   113
</section>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   114
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   115
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   116
<section id=sotd>
24
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   117
<p>This is a Working Draft of the User Interface Security Directives for Content
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   118
Security Policy. [[!CSP]]</p>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   119
24
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   120
<p>Portions of the technology described in this document were originally 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   121
developed as part of <code>X-Frame-Options</code> [[!RFC7034]], the ClearClick 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   122
module of the Mozilla Firefox add-on NoScript, [[CLEARCLICK]] and in the InContext
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   123
system implemented experimentally in Internet Explorer [[INCONTEXT]]. </p>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   124
24
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   125
<p>In addition to the documents in the W3C Web Application Security working group,
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   126
the work on this document is also informed by the work of the 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   127
<a href="http://tools.ietf.org/wg/websec/">IETF websec working group</a>, 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   128
particularly that working group's requirements document: 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   129
<a href="http://tools.ietf.org/id/draft-hodges-websec-framework-reqs">draft-hodges-websec-framework-reqs</a>.
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   130
</p>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   131
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   132
 
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   133
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   134
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   135
</section><section class=informative>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   136
<h2>Introduction</h2>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   137
24
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   138
<p>This document defines User Interface Security directives for Content Security
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   139
Policy, a mechanism web applications can use to mitigate some of the risks of 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   140
User Interface (UI) Redressing [[UIREDRESS]] (AKA "Clickjacking") vulnerabilities
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   141
that can lead to fraudulent actions not intended by the user. </p>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   142
24
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   143
<p>Content Security Policy (CSP) is a declarative policy that lets the authors 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   144
(or server administrators) of a web application restrict the behavior of a 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   145
document, e.g.  the origins where it can load its resources from or the ways it 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   146
can execute scripts.  This document defines directives to restrict the 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   147
presentation or the interactivity of a resource when its interaction with the
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   148
user may be happening in an ambiguous or deceitful context due to the spatial 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   149
and/or temporal contiguity with other content displayed by the user agent. </p>
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   150
24
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   151
<p>A user agent may implement the core directives of CSP independently from the 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   152
directives in this specification, but this specification requires the policy 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   153
conveyance and reporting mechanisms described in CSP.  The interpretation of 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   154
terms imported into this document from CSP may vary depending on the version 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   155
implemented by the user agent.  For example, a <code>source-expression</code> 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   156
in Content Security Policy 1.0 is at the granularity of an <code>origin</code>
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   157
[[!ORIGIN]] but may be more granular in future versions of the core Content 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   158
Security Policy.  </p>
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   159
24
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   160
<p>Application authors SHOULD transmit the directives in this specification 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   161
as part of a single, complete Content Security Policy, as indicated by that 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   162
specification. </p>
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   163
24
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   164
<p>In some UI Redressing attacks (also known as Clickjacking), a malicious web 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   165
application presents a user interface of another web application in a manipulated 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   166
context to the user, e.g. by partially obscuring the genuine user interface with
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   167
opaque layers on top, hence tricking the user to click on a button out of context. </p>
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   168
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   169
<p>Existing anti-clickjacking measures including frame-busting [[FRAMEBUSTING]] 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   170
codes and <code>X-Frame-Options</code> cannot be used to protect resources where
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   171
the set of origins that should be allowed and disallowed is unknown, where 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   172
attacks might come from origins intended to be allowed by a use scenario,  or 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   173
defend against timing-based attacks involving multiple windows instead of multiple
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   174
frames.  Frame-busting scripts also rely on browser behavior that has not been 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   175
engineered to provide a security guarantee.  As a consequence, such scripts may 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   176
be unreliable if loaded inside a sandbox or otherwise disabled.</p>
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   177
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   178
<p>The User Interface Security directives encompass the policies defined in 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   179
<code>X-Frame-Options</code> and also provide a new mechanism to allow web 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   180
applications to enable heuristic input protections for its user interfaces on 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   181
user agents. </p>
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   182
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   183
<p>To mitigate UI redressing, for example, a web application can request that a user interface element should be fully visible for a minimum period of time before a user input can be delivered. </p>
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   184
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   185
<p>The User Interface Security directive can often be applied to existing applications with few or no changes, but the heuristic hints supplied by the policy may require considerable experimental fine-tuning to achieve an acceptable error rate. </p>
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   186
18
0475e30847bf remove obsolete language
bhill@L-SJN-00530327.corp.ebay.com
parents: 17
diff changeset
   187
<p>This specification supercedes <code>X-Frame-Options</code>. Resources may supply an <code>X-Frame-Options</code> header in addition to a Content-Security-Policy header to indicate policy to user agents that do not implement the directives in this specification. A user agent that understands the directives in this document SHOULD ignore the <code>X-Frame-Options</code> header, when present, if User Interface Security directives are also present in a Content-Security-Policy header. This is to allow resources to only be embedded if the mechanisms described in this specification are enforced, and more restrictive <code>X-Frame-Options</code> policies applied otherwise.</p>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   188
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   189
</section><section id=conformance>
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   190
<p>Requirements phrased in the imperative as part of algorithms (such as "strip any leading space characters" or "return false and abort these steps") are to be interpreted with the meaning of the key word ("MUST", "SHOULD", "MAY", etc) used in introducing the algorithm. </p>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   191
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   192
<p>A conformant user agent is one that implements all the requirements listed in this specification that are applicable to user-agents. Treatment of
9
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   193
the <code>input-protection</code>, <code>input-protection-clip</code> and <code>input-protection-selectors</code> directives are at the discretion of the 
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   194
user agent.</p>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   195
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   196
<p>A conformant server is one that implements all the requirements listed in this specification that are applicable to servers. </p>
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   197
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   198
<section>
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   199
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   200
<h3>Terminology</h3>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   201
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   202
<p>This section defines several terms used throughout the document. </p>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   203
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   204
<p>The term <dfn>security policy</dfn>, or simply <dfn>policy</dfn>, for the
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   205
purposes of this specification refers to either: </p>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   206
<ol>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   207
  <li>a set of security preferences for restricting the behavior of content
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   208
    within a given resource, or</li>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   209
  <li>a fragment of text that codifies these preferences.</li>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   210
</ol>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   211
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   212
<p>The security policies defined by this document are applied by a user agent on a <em>per-resource representation basis</em>. Specifically, when a user agent receives a policy along with the representation of a given resource, that policy applies to <em>that resource representation only</em>. This document often refers to that resource representation as the <dfn>protected resource</dfn>. </p>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   213
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   214
<p>A server transmits its security policy for a particular resource as a collection of <dfn>directives</dfn>, such as <code>default-src 'self'</code>, each of which controls a specific set of privileges for a document rendered by the user agent. More details are provided in the <a href="#directives">directives</a> section. </p>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   215
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   216
<p>A directive consists of a <dfn>directive name</dfn>, which indicates the privileges controlled by the directive, and a <dfn>directive value</dfn>, which specifies the restrictions the policy imposes on those privileges. </p> 
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   217
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   218
<p> An <dfn>ancestor</dfn> is any resource between the protected resource and the top of the window frame tree; for example, if A embeds B which embeds C, both A and B are ancestors of C. If A embeds both B and C, B is not an ancestor of C, but A still is.</p>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   219
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   220
<p>The term <dfn>origin</dfn> is defined in the Origin specification. [<em><a href="http://tools.ietf.org/html/draft-ietf-websec-origin">ORIGIN</a></em>] </p>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   221
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   222
<p>The term <dfn>URI</dfn> is defined in the URI specification. [[!URI]] </p>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   223
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   224
<p>The <code>&lt;iframe&gt;</code>, <code>&lt;object&gt;</code>,
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   225
<code>&lt;embed&gt;</code>, and <code>&lt;frame&gt;</code>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   226
elements are defined in the HTML5 standard.
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   227
[[!HTML5]]. </p>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   228
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   229
<p>The <code>&lt;applet&gt;</code> element is defined in the HTML 4.01
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   230
standard. [[!HTML401]]. </p>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   231
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   232
<p>The Augmented Backus-Naur Form (ABNF) notation used in this document is
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   233
specified in RFC 5234. [[!ABNF]] </p>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   234
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   235
<p>The following core rules are included by reference, as defined in [<em><a
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   236
href="http://tools.ietf.org/html/rfc5234#appendix-B.1">ABNF Appendix
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   237
B.1</a></em>]: <code>ALPHA</code> (letters), <code>DIGIT</code> (decimal 0-9),
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   238
<code>WSP</code> (white space) and <code>VCHAR</code> (printing characters).
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   239
</p>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   240
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   241
<p>The OWS rule is used where zero or more linear whitespace octets might
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   242
appear. OWS SHOULD either not be produced or be produced as a single SP.
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   243
Multiple OWS octets that occur within field-content SHOULD either be replaced
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   244
with a single SP or transformed to all SP octets (each octet other than SP
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   245
replaced with SP) before interpreting the field value or forwarding the message
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   246
downstream. </p>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   247
<pre>OWS            = *( SP / HTAB / obs-fold )
0
6834f5e73e7b Checking in Brad's initial draft
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents:
diff changeset
   248
               ; "optional" whitespace
6834f5e73e7b Checking in Brad's initial draft
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents:
diff changeset
   249
obs-fold       = CRLF ( SP / HTAB )
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   250
               ; obsolete line folding</pre>
0
6834f5e73e7b Checking in Brad's initial draft
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents:
diff changeset
   251
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   252
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   253
<p>A <dfn id=selector-string>selector string</dfn> is a list of one or more
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   254
  <a href="http://dev.w3.org/csswg/selectors4/#complex">complex
15
58d25d8b72e1 incorporate edits from W3C team
bhill@L-SJN-00530327.corp.ebay.com
parents: 14
diff changeset
   255
  selectors</a>(see [[SELECTORS4]], section 3.1) that
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   256
  <em class=ct>may</em> be surrounded by whitespace and matches the
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   257
  <code>dom_selectors_group</code> production.
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   258
</p>
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   259
<pre>dom_selectors_group
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   260
  : S* [ selectors_group ] S*
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   261
  ;
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   262
</pre>
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   263
               
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   264
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   265
<p>A <dfn id="embedding-source-list">embedding source list</dfn> follows the ABNF and parsing rules defined for <a href="http://www.w3.org/TR/CSP/#source-list">source-list</a> (see [[!CSP]] section 3.22) with the following new productions:
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   266
19
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   267
<pre>embedding-keyword-source = "'self'" / "'deny'"
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   268
embedding-source-expression = host-source / embedding-keyword-source
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   269
embedding-source-list = *WSP [ embedding-source-expression *( 1*WSP embedding-source-expression ) *WSP ]
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   270
</pre>
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   271
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   272
</section>
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   273
24
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   274
</section>
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   275
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   276
<section>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   277
<h2 id="sec-directives">Directives</h2>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   278
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   279
<p>This section describes the content security policy directives introduced in
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   280
this specification. </p>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   281
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   282
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   283
<section id="input-protection">
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   284
<h3><code>input-protection</code></h3>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   285
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   286
<p>The <code>input-protection</code> directive, if present or implied, instructs the user
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   287
agent to apply the heuristic UI redressing protections described in the <a
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   288
href="#heuristic">Input Protection Heuristic</a> section to user input events, such as <code>click</code>,
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   289
<code>keypress</code>, <code>touch</code>, and <code>drag</code>, before they
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   290
are delivered to the resource. </p>
9
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   291
<p>The screenshot comparison heuristic, in particular, uses the body-bounding rectangle 
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   292
of the document triggering the event as its default reference area,
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   293
or the rectangle defined by the <code>input-protection-clip</code>
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   294
and by the <code>input-protection-selectors</code> directives if any of those is explicitly set.
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   295
</p>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   296
9
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   297
<p>If the <code>input-protection-clip</code> directive is set as part of a <code>Content-Security-Policy</code>, triggering of
7
4076f83eb939 Major update to input-protection and some typo fixes
Giorgio Maone <giorgio@maone.net>
parents: 6
diff changeset
   298
the heuristic should cancel delivery of the UI event to the target and
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   299
cause a violation report to be sent.  If set as part of a 
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   300
<code>Content-Security-Policy-Report-Only</code>, triggering of the heuristic 
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   301
should result in the event being delivered with the <code>unsafe</code> 
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   302
attribute on the <code>UIEvent</code> set to <code>true</code>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   303
and cause a violation report to be sent.</p>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   304
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   305
<p>The optional directive value allows resource authors to provide <a href="#input-protection-options">options</a> for heuristic tuning
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   306
in the form of space-separated <code>option-name=option-value</code> pairs. </p>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   307
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   308
<pre>
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   309
directive-name    = "input-protection"
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   310
directive-value   = ["display-time=" num-val] ["tolerance=" num-val]</pre>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   311
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   312
<p>If the policy does not contain a value for this directive
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   313
or any of the hint name=value pairs are absent, the user agent SHOULD apply default
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   314
values for hints as described in the following. </p>
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   315
<dl id="input-protection-options">
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   316
<dt><code>display-time</code></dt>
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   317
<dd>is a numeric value from 0 to 10000 that specifies how long, in
7
4076f83eb939 Major update to input-protection and some typo fixes
Giorgio Maone <giorgio@maone.net>
parents: 6
diff changeset
   318
milliseconds, the screen area containing the protected user interface
4076f83eb939 Major update to input-protection and some typo fixes
Giorgio Maone <giorgio@maone.net>
parents: 6
diff changeset
   319
must have been displayed continuously unchanged when the event is processed.
4076f83eb939 Major update to input-protection and some typo fixes
Giorgio Maone <giorgio@maone.net>
parents: 6
diff changeset
   320
If not specified, it defaults to 800. If a value out of the range stated above is specified, it defaults to the nearest
4076f83eb939 Major update to input-protection and some typo fixes
Giorgio Maone <giorgio@maone.net>
parents: 6
diff changeset
   321
value between the lower and the higher bounds.
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   322
</dd> 
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   323
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   324
<dt><code>tolerance</code></dt>
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   325
<dd>is a numeric value from 0 to 99 that defines the difference
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   326
threshold at which the screenshot comparison procedure of the input protection
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   327
heuristic triggers a violation. A value of 0 indicates that no difference
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   328
between the two images is permitted. A value of 99 provides little to no
15
58d25d8b72e1 incorporate edits from W3C team
bhill@L-SJN-00530327.corp.ebay.com
parents: 14
diff changeset
   329
practical protection. If not specified, it defaults to 0.
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   330
</dd>
15
58d25d8b72e1 incorporate edits from W3C team
bhill@L-SJN-00530327.corp.ebay.com
parents: 14
diff changeset
   331
</dl>
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   332
</section>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   333
9
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   334
<section id="input-protection-clip">
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   335
<h3><code>input-protection-clip</code></h3>
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   336
9
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   337
<p>The <code>input-protection-clip</code> directive defines a rectangular screen area 
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   338
whose intersection with the bounding rectangle of the whole document's body should be used as the reference area in
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   339
the screenshot comparison check explained in the <a href="#heuristic">Input Protection Heuristic</a> section.</p>
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   340
<p>If the <code>input-protection-clip</code> directive is not explicitly set in a policy
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   341
which includes the <code>input-protection</code> directive
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   342
and no <code>input-protection-selectors</code> directive is set either,
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   343
the bounding rectangle of the whole document's body should be used for screenshot comparisons.</p>
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   344
<p>If explicitly set as part of a policy where no <code>input-protection</code>
9
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   345
directive is explicitly set, the <code>input-protection-clip</code> directive
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   346
implies the <code>input-protection</code> directive as if it was set in the same policy with its default value.</p>
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   347
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   348
<pre>
9
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   349
directive-name  = "input-protection-clip"
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   350
directive-value = ["before=" num-val] ["above=" num-val] ["after=" num-val] ["below=" num-val]</pre>
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   351
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   352
<p>The optional directive value can include up to four non-negative numeric labeled offsets,
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   353
expressed in CSS pixels and relative to the screen coordinates of the UI event being processed
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   354
(<code>event.screenX</code> and <code>event.screenY</code> for mouse, touch or pointer events) or, if not applicable (e.g. for keyboard events),
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   355
to the geometrical center of the event target in screen coordinates.
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   356
These offsets define a rectangle with
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   357
<pre>
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   358
x = eX - left, y = eY - top, width = left + right, height = top + bottom
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   359
</pre>
9
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   360
where <code>eX</code> and <code>eY</code> are the event's explicit (when possible) or inferred (the target's center) screen ordinates.
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   361
The <code>left</code>, <code>top</code>, <code>right</code> and <code>bottom</code>
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   362
values are mapped to the offsets labeled as
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   363
<code>before</code>, <code>above</code>, <code>after</code> and <code>below</code>
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   364
respectively, unless the bi-directional text properties of the event target suggest otherwise: for instance,
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   365
if the target's direction is RTL, <code>before</code> translates to <code>right</code> and <code>after</code>
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   366
 translates to <code>left</code>.
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   367
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   368
<p>The default value for this directive is <code>before=250 above=250 after=50 below=50</code>.  If a partial value is provided (i.e. any offset has been omitted) the default values should be implied for the missing offsets.  </p>
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   369
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   370
<p>The intersection of the computed rectangle with the bounding rectangle of the document's body should be used as the reference area for the screenshot comparison check explained in the <a href="#heuristic">Input Protection Heuristic</a> section, unless the UI event's target or one of its DOM ancestors match a <code>input-protection-selector</code> directive set in the same policy.</p> 
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   371
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   372
<p>If the <code>input-protection-clip</code> directive is not set or provides an invalid value, the whole bounding rectangle of the document's body must be used as the reference area for the screenshot comparison, unless an <code>input-protection-selectors</code> directive is set in the same policy.</p> 
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   373
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   374
</section>
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   375
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   376
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   377
<section>
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   378
<h3><code>input-protection-selectors</code></h3>
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   379
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   380
<p>The <code>input-protection-selectors</code> directive overrides the
9
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   381
implicit or explicit <code>input-protection-clip</code> value when
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   382
the processed UI event target or one of its DOM ancestors match the <code>dom_selectors_group</code>
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   383
<a href="#selector-string">selector string</a> provided as the mandatory directive's value:
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   384
in this case, the reference area used for screenshot comparison is the
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   385
bounding box of the event target itself, if it matches the selectors, or the bounding box of its nearest
9
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   386
matching DOM ancestor, if any, augmented by the margins given by the leading optional labeled offsets, if any.
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   387
UI events whose target and ancestors don't match any of the specified selectors should be ignored (not blocked)
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   388
unless an <code>input-protection-clip</code> directive is explicitly included in the policy:
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   389
if this is the case, the UI event must be checked and the screenshot reference area
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   390
should be computed using the <code>input-protection-clip</code> directive.
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   391
</p>
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   392
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   393
<p>If set as part of a policy where no <code>input-protection</code>
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   394
directive is explicitly set, the <code>input-protection-selectors</code> directive
9
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   395
implies the <code>input-protection</code> directive as if it was set in the same policy with its default value.</p>
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   396
</p>
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   397
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   398
<pre>
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   399
directive-name  = "input-protection-selectors"
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   400
directive-value = ["before=" num-value] ["after=" num-value] ["above=" num-value] ["below=" num-value] dom_selectors_group</pre>
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   401
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   402
<p>Any of the four non-negative numeric labeled offsets, which represent margins expressed in CSS pixels,
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   403
may be omitted, taking 0 (zero) as their default values.</p>
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   404
<p>
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   405
The reference screenshot area is computed as the rectangle having
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   406
<pre>
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   407
x = match.x - left, y = match.y - top, width = left + match.width + right, height = top + match.height + bottom
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   408
</pre>
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   409
where <code>match</code> is the bounding rectangle around the UI event target, if it matches <code>dom_selectors_group</code>,
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   410
or around its nearest matching ancestor. The
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   411
<code>left</code>, <code>top</code>, <code>right</code> and <code>bottom</code> values 
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   412
are mapped to the offsets labeled as
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   413
<code>before</code>, <code>above</code>, <code>after</code> and <code>below</code>
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   414
respectively, unless the bi-directional text properties of the event target suggest otherwise: for instance,
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   415
if the target's direction is RTL, <code>before</code> translates to <code>right</code> and <code>after</code>
9
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   416
 translates to <code>left</code> (similarly to the <a href="#input-protection-clip"><code>input-protection-clip</code></a> directive).
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   417
</section>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   418
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   419
<section>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   420
<h3><code>report-uri</code></h3>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   421
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   422
<p>The <code>report-uri</code> directive specifies a URI to which the
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   423
user agent sends reports about policy violation. 
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   424
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   425
<p>The syntax for the name and value of this directive and the
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   426
algorithm to prepare a report are described 
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   427
by Content Security Policy. [[!CSP]]</p>  
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   428
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   429
<p>The core Content Security Policy specification provides directives to
7
4076f83eb939 Major update to input-protection and some typo fixes
Giorgio Maone <giorgio@maone.net>
parents: 6
diff changeset
   430
restrict from where external content may be loaded.  As such, violation
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   431
reports include a <dfn>blocked-uri</dfn> key/value pair that specifies the
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   432
attempted resource load that was blocked by the policy.</p>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   433
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   434
<p>As this is not applicable to the directives in this document, the
7
4076f83eb939 Major update to input-protection and some typo fixes
Giorgio Maone <giorgio@maone.net>
parents: 6
diff changeset
   435
following additional steps MUST be added to the algorithm defined in
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   436
Content Security Policy to <em>prepare a violation report</em>:</p>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   437
15
58d25d8b72e1 incorporate edits from W3C team
bhill@L-SJN-00530327.corp.ebay.com
parents: 14
diff changeset
   438
<p>In step 1, when preparing the JSON object <em>violation-object</em>,
14
ca2e54aaf765 Updated references, some A11Y language.
bhill@L-SJN-00530327.corp.ebay.com
parents: 13
diff changeset
   439
add the following keys and values to the <dfn>csp-report</dfn>: [[!CSP]]</p>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   440
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   441
<p>If the violation is of the <code>input-protection</code> directive, add the following keys and values.  If a value is not set or applicable for the violation (e.g. pointer-height, if the violating event type is not a Pointer Event) the key SHOULD be omitted.
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   442
</P>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   443
15
58d25d8b72e1 incorporate edits from W3C team
bhill@L-SJN-00530327.corp.ebay.com
parents: 14
diff changeset
   444
<dl>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   445
	<dt>blocked-event-type</dt>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   446
	<dd>The <code>type</code> attribute of the <code>UIEvent</code> that was blocked by policy.</dd>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   447
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   448
	<dt>touch-event</dt>
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   449
	<dd>A <dfn>boolean</dfn> indicating whether the event blocked by policy was a <dfn>Touch Event</dfn> [[!TOUCH-EVENTS]].</dd>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   450
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   451
	<dt>pointer-type</dt>
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   452
	<dd>The <code>pointerType</code> value of a <dfn>Pointer Event</dfn> [[POINTER-EVENTS]].</dd>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   453
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   454
	<dt>pointer-height</dt>
21
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   455
	<dd>The <code>height</code> value of a <code>Pointer Event</code>.</dd>
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   456
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   457
	<dt>pointer-width</dt>
21
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   458
	<dd>The <code>width</code> value of a <code>Pointer Event</code>.</dd>
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   459
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   460
	<dt>device-height</dt>
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   461
	<dd>The <code>device-height</code> property as defined in [[!CSS3-MEDIAQUERIES]].</dd>
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   462
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   463
	<dt>device-width</dt>
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   464
	<dd>The <code>device-width</code> property as defined in [[!CSS3-MEDIAQUERIES]].</dd>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   465
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   466
	<dt>blocked-event-client-x</dt>
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   467
	<dd>The <code>clientX</code> attribute of the <code>UIEvent</code> [[!DOM-LEVEL-2-EVENTS]] that was blocked by policy, if set.</dd>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   468
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   469
	<dt>blocked-event-client-y</dt>
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   470
	<dd>The <code>clientY</code> attribute of the <code>UIEvent</code> [[!DOM-LEVEL-2-EVENTS]] that was blocked by policy, if set.</dd>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   471
15
58d25d8b72e1 incorporate edits from W3C team
bhill@L-SJN-00530327.corp.ebay.com
parents: 14
diff changeset
   472
</dl>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   473
7
4076f83eb939 Major update to input-protection and some typo fixes
Giorgio Maone <giorgio@maone.net>
parents: 6
diff changeset
   474
<p>If the target of an <code>UIEvent</code> which triggers an <code>input-protection</code> violation has an explictly-set <code>id</code> attribute:
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   475
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   476
15
58d25d8b72e1 incorporate edits from W3C team
bhill@L-SJN-00530327.corp.ebay.com
parents: 14
diff changeset
   477
<dl>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   478
	<dt>blocked-target-id</dt>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   479
	<dd>The <code>id</code> attribute of the DOM Element that a violating
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   480
	<code>UIEvent</code> targeted.</dd>
15
58d25d8b72e1 incorporate edits from W3C team
bhill@L-SJN-00530327.corp.ebay.com
parents: 14
diff changeset
   481
</dl>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   482
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   483
<p>Otherwise, if the target element does not have an explicit <code>id</code> attribute:
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   484
15
58d25d8b72e1 incorporate edits from W3C team
bhill@L-SJN-00530327.corp.ebay.com
parents: 14
diff changeset
   485
<dl>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   486
	<dt>blocked-target-xpath</dt>
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   487
	<dd>An XPath [[!XPATH]] expression that returns the target <code>Element</code> of the <code>UIEvent</code> that was blocked by policy.</dd>
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   488
15
58d25d8b72e1 incorporate edits from W3C team
bhill@L-SJN-00530327.corp.ebay.com
parents: 14
diff changeset
   489
</dl>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   490
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   491
<section class=informative>
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   492
<h3>Producing <code>blocked-target-xpath</code></h3>
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   493
User agent implementers may provide any unambiguous XPath in the report. The following example code using the ECMAScript language bindings for DOM Level 2 Core [[!DOM-LEVEL-2-CORE]] produces an unambiguous XPath to the target DOM element <em>"e"</em>:
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   494
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   495
<pre class="example" title="Sample implementation of XPath generation for reporting">
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   496
function getXPathFor(e) {
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   497
 
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   498
    var xpath = '';
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   499
    
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   500
    while(e.nodeType == e.ELEMENT_NODE) {
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   501
      
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   502
      var child = e;
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   503
      var siblingIndex = 0;
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   504
      while( (child = child.previousSibling) != null ) {
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   505
        if(child.tagName == e.tagName) {
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   506
          siblingIndex++;  
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   507
        }
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   508
      }
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   509
        
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   510
      xpath = e.tagName + 
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   511
              '[' + siblingIndex + ']' + 
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   512
              (xpath == '' ? '' : '/') +
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   513
              xpath;
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   514
        
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   515
      e = e.parentNode;
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   516
   }
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   517
   xpath = '/' + xpath; 
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   518
   return(xpath);
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   519
}
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   520
</pre>
21
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   521
Documents may be dynamically constructed and change structure in response to user
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   522
interaction or other events, so an unambiguous XPath expression in the context of the current
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   523
state of the DOM may not be unambiguous to the content author.  To avoid this confusion,
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   524
resource authors SHOULD include an <code>id</code> attribute for all elements of interest
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   525
and user agent implementers MAY include any additional information in the XPath they feel
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   526
may help disambiguate the blocked target, including class names and id attributes of
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   527
ancestors.
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   528
</section>
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   529
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   530
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   531
</section>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   532
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   533
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   534
</section>
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   535
<section>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   536
<h2 id="sec-api">DOM interface</h2>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   537
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   538
<p>This specification introduces a new attribute for the <code>UIEvent</code>
14
ca2e54aaf765 Updated references, some A11Y language.
bhill@L-SJN-00530327.corp.ebay.com
parents: 13
diff changeset
   539
interface introduced in DOM Level 2. [[!DOM-LEVEL-2-EVENTS]]</p>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   540
<section>
20
7128910baa5c Updated WebIDL definitions and references to CSP 1.1
bhill@L-SJN-00530327.corp.ebay.com
parents: 19
diff changeset
   541
7128910baa5c Updated WebIDL definitions and references to CSP 1.1
bhill@L-SJN-00530327.corp.ebay.com
parents: 19
diff changeset
   542
<dl title="partial interface UIEvent" class="idl">
26
08f354d6761f removed nbsps
bhill2
parents: 25
diff changeset
   543
  <dt>[Unforgeable] readonly attribute bool unsafe</dt>
24
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   544
    <dd>This is a non-configurable boolean property of input event objects.
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   545
      Set to "true" if a violation of an input-protection directive 
7e6b0d576e07 Removed frame-options directive.
bhill2
parents: 23
diff changeset
   546
      violation occurred for the event.</dd>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   547
</dl>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   548
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   549
<p>The <code>unsafe</code> attribute allows web applications to monitor and
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   550
immediately respond to suspect violations in the <code>report-only</code>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   551
mode. Applications may also use this interface for capability detection. For
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   552
example, a web application may monitor user inputs on a payment button element
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   553
like this: </p>
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   554
<pre class="example" title="Example code responing to unsafe attribute">document.getElementById('payment-button').addEventListener("click", function(eventObj) {
4
25bb022cd7bc Adding a DOM API for input protection.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 3
diff changeset
   555
  if ("unsafe" in eventObj) {
25bb022cd7bc Adding a DOM API for input protection.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 3
diff changeset
   556
    if (eventObj.unsafe == true) {
25bb022cd7bc Adding a DOM API for input protection.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 3
diff changeset
   557
      return reportUnsafeOrShowDialog();
25bb022cd7bc Adding a DOM API for input protection.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 3
diff changeset
   558
    }
25bb022cd7bc Adding a DOM API for input protection.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 3
diff changeset
   559
  }
25bb022cd7bc Adding a DOM API for input protection.
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents: 3
diff changeset
   560
  makePayment();
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   561
};</pre>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   562
</section></section>
19
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   563
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   564
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   565
<section>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   566
<h2>Script Interfaces</h2>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   567
20
7128910baa5c Updated WebIDL definitions and references to CSP 1.1
bhill@L-SJN-00530327.corp.ebay.com
parents: 19
diff changeset
   568
<p>If associated with a Content Security Policy 1.1 [[CSP11]] or later implementation, the User Interface Security Directives include
7128910baa5c Updated WebIDL definitions and references to CSP 1.1
bhill@L-SJN-00530327.corp.ebay.com
parents: 19
diff changeset
   569
the following script interfaces which extend the experimental functinality defined therein: <a href="https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-interfaces--experimental">https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-interfaces--experimental</a></p>
19
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   570
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   571
<section>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   572
          <h4><code>SecurityPolicyViolationEvent</code> Events</h4>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   573
20
7128910baa5c Updated WebIDL definitions and references to CSP 1.1
bhill@L-SJN-00530327.corp.ebay.com
parents: 19
diff changeset
   574
          <dl title="[Constructor(DOMString type, optional SecurityPolicyViolationEventInit eventInitDict)] partial interface SecurityPolicyViolationEvent : Event" class="idl">
19
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   575
            <dt>readonly attribute DOMString blockedEventType</dt>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   576
            <dd>Refer to the <a href="#report-uri"><code>blocked-event-type</code></a> property of violation reports for a description of this property.</dd>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   577
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   578
            <dt>readonly attribute bool touchEvent</dt>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   579
            <dd>Refer to the <a href="#report-uri"><code>touch-event</code></a> property of violation reports for a description of htis property.</dd>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   580
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   581
            <dt>readonly attribute DOMString pointerType</dt>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   582
            <dd>Refer to the <a href="#report-uri"><code>pointer-type</code></a> property of violation reports for a description of this property.</dd>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   583
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   584
            <dt>readonly attribute long pointerHeight</dt>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   585
            <dd>Refer to the <a href="#report-uri"><code>pointer-height</code></a> property of violation reports for a description of this property.</dd>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   586
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   587
            <dt>readonly attribute long pointerWidth</dt>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   588
            <dd>Refer to the <a href="#report-uri"><code>pointer-width</code></a> property of violation reports for a description of this property.</dd>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   589
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   590
            <dt>readonly attribute long deviceHeight</dt>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   591
            <dd>Refer to the <a href="#report-uri"><code>device-height</code></a> property of violation reports for a description of this property.</dd>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   592
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   593
            <dt>readonly attribute long deviceWidth</dt>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   594
            <dd>Refer to the <a href="#report-uri"><code>device-width</code></a> property of violation reports for a description of this property.</dd>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   595
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   596
            <dt>readonly attribute long blockedEventClientX</dt>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   597
            <dd>Refer to the <a href="#report-uri"><code>blocked-event-client-x</code></a> property of violation reports for a description of this property.</dd>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   598
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   599
            <dt>readonly attribute long blockedEventClientY</dt>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   600
            <dd>Refer to the <a href="#report-uri"><code>blocked-event-client-y</code></a> property of violation reports for a description of this property.</dd>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   601
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   602
            <dt>readonly attribute DOMString blockedTargetID</dt>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   603
            <dd>Refer to the <a href="#report-uri"><code>blocked-target-id</code></a> property of violation reports for a description of this property.</dd>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   604
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   605
            <dt>readonly attribute DOMString blockedTargetXPath</dt>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   606
            <dd>Refer to the <a href="#report-uri"><code>blocked-target-xpath</code></a> property of violation reports for a description of this property.</dd>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   607
          </dl>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   608
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   609
          <dl title="partial dictionary SecurityPolicyViolationEventInit" class="idl">
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   610
             <dt>DOMString blockedEventType</dt>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   611
            <dd>Refer to the <a href="#report-uri"><code>document-uri</code></a> property of violation reports for a description of this property.</dd>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   612
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   613
            <dt>bool touchEvent</dt>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   614
            <dd>Refer to the <a href="#report-uri"><code>touch-event</code></a> property of violation reports for a description of htis property.</dd>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   615
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   616
            <dt>DOMString pointerType</dt>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   617
            <dd>Refer to the <a href="#report-uri"><code>pointer-type</code></a> property of violation reports for a description of this property.</dd>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   618
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   619
            <dt>long pointerHeight</dt>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   620
            <dd>Refer to the <a href="#report-uri"><code>pointer-height</code></a> property of violation reports for a description of this property.</dd>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   621
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   622
            <dt>long pointerWidth</dt>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   623
            <dd>Refer to the <a href="#report-uri"><code>pointer-width</code></a> property of violation reports for a description of this property.</dd>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   624
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   625
            <dt>long deviceHeight</dt>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   626
            <dd>Refer to the <a href="#report-uri"><code>device-height</code></a> property of violation reports for a description of this property.</dd>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   627
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   628
            <dt>long deviceWidth</dt>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   629
            <dd>Refer to the <a href="#report-uri"><code>device-width</code></a> property of violation reports for a description of this property.</dd>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   630
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   631
            <dt>long blockedEventClientX</dt>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   632
            <dd>Refer to the <a href="#report-uri"><code>blocked-event-client-x</code></a> property of violation reports for a description of this property.</dd>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   633
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   634
            <dt>long blockedEventClientY</dt>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   635
            <dd>Refer to the <a href="#report-uri"><code>blocked-event-client-y</code></a> property of violation reports for a description of this property.</dd>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   636
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   637
            <dt>DOMString blockedTargetID</dt>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   638
            <dd>Refer to the <a href="#report-uri"><code>blocked-target-id</code></a> property of violation reports for a description of this property.</dd>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   639
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   640
            <dt>DOMString blockedTargetXPath</dt>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   641
            <dd>Refer to the <a href="#report-uri"><code>blocked-target-xpath</code></a> property of violation reports for a description of this property.</dd>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   642
          </dl>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   643
	  </section>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   644
       <section>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   645
          <h4>SecurityPolicy</h4>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   646
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   647
          <p>Let the <dfn>active CSP policies</dfn> be the set of CSP policies
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   648
          the user agent is currently enforcing for the associated
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   649
          document.</p>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   650
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   651
          <dl title="partial interface Security Policy" class="idl">
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   652
            <dt>readonly attribute bool inputProtection</dt>
20
7128910baa5c Updated WebIDL definitions and references to CSP 1.1
bhill@L-SJN-00530327.corp.ebay.com
parents: 19
diff changeset
   653
            <dd>A boolean representing the logical <code>or</code> of whether
19
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   654
            the <code>input-protection</code> directive is present or implied in
20
7128910baa5c Updated WebIDL definitions and references to CSP 1.1
bhill@L-SJN-00530327.corp.ebay.com
parents: 19
diff changeset
   655
            each of the <a href="https://dvcs.w3.org/hg/content-security-policy/raw-file/45f6ccaba0ef/csp-specification.dev.html#dfn-active-csp-policies">active CSP
7128910baa5c Updated WebIDL definitions and references to CSP 1.1
bhill@L-SJN-00530327.corp.ebay.com
parents: 19
diff changeset
   656
            policies</a>. [[CSP11]]</dd>
19
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   657
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   658
          </dl>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   659
        </section>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   660
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   661
</section>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   662
</section>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   663
</section>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
   664
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   665
<section id="heuristic"  class=informative>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   666
<h2>Input Protection Heuristic</h2>
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   667
<section>
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   668
<p>The algorithm described here can be
7
4076f83eb939 Major update to input-protection and some typo fixes
Giorgio Maone <giorgio@maone.net>
parents: 6
diff changeset
   669
implemented mostly in terms of HTML5 constructs, but requires the ability to
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   670
monitor and intercept actions in the rendering of a resource and delivery of
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   671
events to that resource. User agents may apply equivalent protections using
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   672
means more optimized for their implementation details, may ignore
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   673
recommendations where the browsing environment eliminates certain classes of
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   674
attack, (e.g. the cursor sanity check in a touch-only environment) or may implement
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   675
some features in terms of the underlying operating system or platform rather
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   676
than directly in the user agent.</p>
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   677
</section>
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   678
<section>
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   679
<h4>Preparation</h4>    
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   680
<ol>
7
4076f83eb939 Major update to input-protection and some typo fixes
Giorgio Maone <giorgio@maone.net>
parents: 6
diff changeset
   681
  <li><strong>Listener registration</strong> - On the topmost window, register a "global" capturing
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   682
    event listener for mouse button, tapping, keyboard, drag &amp; drop and
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   683
    focus events, which must be guaranteed to run before any other event
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   684
    handler of the same kind and therefore be able to prevent any event from
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   685
    being handled by the content, if needed. </li>
7
4076f83eb939 Major update to input-protection and some typo fixes
Giorgio Maone <giorgio@maone.net>
parents: 6
diff changeset
   686
  <li><strong>Display changes tracking</strong> - whenever a repaint occurs in the topmost window or in one of its descendants,
23
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   687
      create a record containing a weak reference to the Origin causing the repaint, the screen coordinates of the
7
4076f83eb939 Major update to input-protection and some typo fixes
Giorgio Maone <giorgio@maone.net>
parents: 6
diff changeset
   688
      regions being repainted and a timestamp detailing when the repaint occurred, and add this record
4076f83eb939 Major update to input-protection and some typo fixes
Giorgio Maone <giorgio@maone.net>
parents: 6
diff changeset
   689
      to a screen-global list named "Display Changes List".
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   690
      Records older than the maximum value for <code>input-protection</code> <code>display-time</code> can be discarded on update.
7
4076f83eb939 Major update to input-protection and some typo fixes
Giorgio Maone <giorgio@maone.net>
parents: 6
diff changeset
   691
  </li>
4076f83eb939 Major update to input-protection and some typo fixes
Giorgio Maone <giorgio@maone.net>
parents: 6
diff changeset
   692
</ol>
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   693
</section>
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   694
<section>
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   695
<h4>UI Event handling</h4>
7
4076f83eb939 Major update to input-protection and some typo fixes
Giorgio Maone <giorgio@maone.net>
parents: 6
diff changeset
   696
<ol>
4076f83eb939 Major update to input-protection and some typo fixes
Giorgio Maone <giorgio@maone.net>
parents: 6
diff changeset
   697
  <!-- 1 --> <li><strong>Timing attacks countermeasure</strong> -
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   698
  check whether the "Display Change List" contains any record younger than the
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   699
  <code>input-protection</code> <code>display-time</code> value, whose repainted regions
7
4076f83eb939 Major update to input-protection and some typo fixes
Giorgio Maone <giorgio@maone.net>
parents: 6
diff changeset
   700
  intersect with the protected UI elements <em>and</em> whose repaint-causing
23
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   701
  Origin is <em>different</em> than the protected one. If this is true, hinting at
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   702
  a recent change in the way the protected UI is displayed, with causes external to the UI
7
4076f83eb939 Major update to input-protection and some typo fixes
Giorgio Maone <giorgio@maone.net>
parents: 6
diff changeset
   703
  itself (e.g. an overlapping element in an ancestor document or a
4076f83eb939 Major update to input-protection and some typo fixes
Giorgio Maone <giorgio@maone.net>
parents: 6
diff changeset
   704
  floating window being suddenly moved away), assume a timing attack is happening
4076f83eb939 Major update to input-protection and some typo fixes
Giorgio Maone <giorgio@maone.net>
parents: 6
diff changeset
   705
  and jump to step 4.
4076f83eb939 Major update to input-protection and some typo fixes
Giorgio Maone <giorgio@maone.net>
parents: 6
diff changeset
   706
  </li>
4076f83eb939 Major update to input-protection and some typo fixes
Giorgio Maone <giorgio@maone.net>
parents: 6
diff changeset
   707
  <!-- 2 --> <li><strong>Cursor sanity check</strong> - By querying computed-style with
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   708
    the ":hover" pseudo-class on the element (if the target is plugin content)
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   709
    or on the host frame element and its ancestors (if the target is a nested
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   710
    document), check whether the cursor has been hidden or changed to an
7
4076f83eb939 Major update to input-protection and some typo fixes
Giorgio Maone <giorgio@maone.net>
parents: 6
diff changeset
   711
    possibly attacker-provided bitmap: if it has, jump to step 4. This provides
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   712
    protection against "Phantom cursor" attacks, also known as
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   713
  "Cursorjacking".</li>
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   714
  <!-- 3 --> <li><strong>Obstruction check</strong> Take two screenshots of the area defined by the
9
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   715
    <a href="#input-protection-clip"><code>input-protection-clip</code></a> and
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   716
    <a href="#input-protection-selectors"><code>input-protection-selectors</code></a>
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   717
    directives and containing the DOM element which is about to receive the event.
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   718
29
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
   719
    <ol>
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
   720
    <li> The <dfn>control image</dfn> is taken from its owner document's "point of view" (unobstructed by definition) in an off-screen HTML5 canvas element [[!HTML5]].  The <dfn>user image</dfn> is taken from either the topmost window's point of view in an off-screen HTML5 canvas element [[!HTML5]] or using the fully compositied operating system perspective, obtained using OS-native APIs.</li> 
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   721
    
29
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
   722
    <li>When this heuristic is applied to plugin content, the <strong>control image</strong> must contain the element itself only.</li>
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   723
   
29
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
   724
    <li>If the number of the pixels which are different 
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   725
    between the screenshots don't exceed a
22
f2bebd1307ff refine obstruction check description
bhill2
parents: 21
diff changeset
   726
    percentage threshold defined by the
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   727
    <code>tolerance</code> property of the <code>input-protection</code> directive,
29
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
   728
    return. </li>
22
f2bebd1307ff refine obstruction check description
bhill2
parents: 21
diff changeset
   729
29
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
   730
    <li>Differences are computed at a pixel-by-pixel level. Any difference in the value
22
f2bebd1307ff refine obstruction check description
bhill2
parents: 21
diff changeset
   731
    of a pixel and it does not match.  For example, a protected area in blue
f2bebd1307ff refine obstruction check description
bhill2
parents: 21
diff changeset
   732
    overlayed entirely by cross-origin content in red at 1% opacity is considered to
f2bebd1307ff refine obstruction check description
bhill2
parents: 21
diff changeset
   733
    be 100% different, not 1% different. 
f2bebd1307ff refine obstruction check description
bhill2
parents: 21
diff changeset
   734
    If portions of the <strong><em>control image</em></strong> are clipped by 
f2bebd1307ff refine obstruction check description
bhill2
parents: 21
diff changeset
   735
    the view port or otherwise occluded, all such pixels must be
29
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
   736
    considered not to match.</li>
22
f2bebd1307ff refine obstruction check description
bhill2
parents: 21
diff changeset
   737
29
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
   738
    <li>Otherwise, if the differences exceed the tolerance, assume that the DOM element which the user is
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   739
    interacting with has been obstructed or obscured by a UI Redressing
29
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
   740
    attempt and proceed with step 4.</li>
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
   741
   </ol>
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   742
29
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
   743
   </li>
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
   744
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
   745
   <li><strong>Violation management</strong> -
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
   746
   If in report-only mode, set the <code>unsafe</code> property of the event been handled to <code>true</code> and let the event processing continue. Otherwise, prevent the event from reaching its target.  Create and send a violation report if a valid report-uri has been specified.
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
   747
  </li>
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
   748
</ol>
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
   749
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
   750
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
   751
    <p class="note" title="Implementation Note">
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
   752
    In the first implementation of this
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   753
    hueristic, NoScript's ClearClick, the screenshots are taken by using the 
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   754
    CanvasRenderingContext2D.drawWindow() method, which is a
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   755
    Mozilla-proprietary extension of the HTML 5 Canvas API available to
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   756
    privileged code only, allowing the content of DOM windows to be drawn on a
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   757
    canvas surface exactly as rendered on the screen. The rest of this phase
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   758
    relies on cross-browser canvas features, instead, such as pixel grabbing
7
4076f83eb939 Major update to input-protection and some typo fixes
Giorgio Maone <giorgio@maone.net>
parents: 6
diff changeset
   759
    and data URL serialization.
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   760
    </p>
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   761
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   762
</section>
23
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   763
</section>
21
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   764
<section id="alt_heuristic" class=informative>
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   765
<h2>Alternate Heuristic</h2>
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   766
<p>Some user agents use a strategy for hit testing and delivering 
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   767
UI events involving multiple composited layers managed on a GPU.  
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   768
This alternative heuristic describes one possible implementation 
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   769
strategy for the input-protection directive in this architecture that
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   770
may be a better fit than the standard heuristic.</p>
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   771
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   772
<p>GPU-optimized user agents typically separate the browser UI process from the
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   773
process that handles building and displaying the visual representation of the 
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   774
resource.  (In this context the term "process" refers to any encapsulated 
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   775
subunit of user-agent functionality that communicates to other subunits
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   776
through message passing, without implying any particular implementation details
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   777
such as locality to a thread, OS-level "processes" or the like.)  It is typical
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   778
for the browser UI process to receive user events such as mouse clicks and then
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   779
marshal these to the render process, where the event is hit tested through the 
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   780
page's DOM, checking for event handlers along the way.  As an optimization, the 
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   781
render process may communicate hit test rectangles back to the UI process in 
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   782
advance so that the UI process can immediately respond to, e.g. a Touch event 
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   783
by scrolling, if the event target falls within coordinates for which there are 
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   784
no other registered handlers in the DOM.   A similar strategy can be used to 
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   785
create an implementation of the input protection heuristic that is 
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   786
consistent with this multi-process, compositing architecture.
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   787
</p>
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   788
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   789
<p>If a resource is being loaded in a <code>frame</code>, <code>iframe</code>,
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   790
<code>object</code>, <code>embed</code> or <code>applet</code> context
23
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   791
specifies an <code>input-protection</code> directive, apply the following steps:</p>
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   792
<section>
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   793
<h4>Preparation</h4>
21
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   794
<ol>
23
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   795
<li><strong>Protected hit test rectangle tracking:</strong> Hook the creation of event 
21
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   796
handlers for protected events and elements and add the DOM nodes with any such 
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   797
handler to a collection. After a layout occurs, or when an event handler is 
23
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   798
added or removed, iterate across all DOM nodes to generate a vector of rectangles and
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   799
their associated Origins where events must be checked for safety.  
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   800
If the <code>input-protection</code> applies to 
21
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   801
the DOMWindow or Document node, avoid this expensive process of walking the 
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   802
renderers and simply use the view's bounds, as they're guaranteed to be inclusive.  
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   803
</li>
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   804
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   805
<li><strong>(Optionally) Put the protected areas into a backing store / composited
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   806
layer:</strong> To avoid the expense of having to re-layout and re-paint
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   807
protected regions during the <strong>obstruction check</strong>, it may make sense
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   808
to designate and place these regions into their own backing store or composited
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   809
layer which can serve as a cached <strong><em>control image</em></strong>.
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   810
</li>
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   811
23
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   812
<li><strong>Display changes tracking:</strong> whenever a region in a protected
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   813
hit test rectangle is invalidated, create a record containing a weak reference to the
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   814
Origin causing the repaint, the screen coordinates of the regions being
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   815
repainted and a timestamp detailing when the repaint occurred, and add this
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   816
record to a screen-global list named "Display Changes List".  Records older than
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   817
the maximum value of <code>input-protection display-time</code> can be discarded
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   818
on update.</li>
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   819
</ol>
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   820
</section>
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   821
<section>
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   822
<h4>UI Event handling</h4>
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   823
<ol>
21
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   824
<li><strong>Hit testing in the compositor:</strong> When an event is received, check
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   825
whether it is on any layer and then walk the layer hierarchy checking the
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   826
protected hit test rectangles on every layer.  If there is a hit, continue this heuristic.
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   827
Otherwise, exit this heuristic and event processing proceeds as normal.
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   828
</li>
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   829
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   830
<li><strong>Timing attacks countermeasure</strong> check whether the "Display
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   831
Change List" contains any record younger than the <code>input-protection display-time</code>
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   832
value, whose repainted regions intersect with the protected regions <em>and</em>
23
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   833
whose repaint-causing Origin is <em>different</em> than the protected one.
21
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   834
If this is true, hinting at a recent change in the way the protected UI is 
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   835
displayed, with causes external to the UI itself (e.g. an overlapping element
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   836
in an ancestor document or a floating window being suddenly moved away), assume
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   837
a timing attack is happening and jump to <strong>Violation management</strong>.
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   838
</li>
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   839
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   840
<li><strong>Cursor sanity check:</strong> By querying computed-style with the 
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   841
":hover" pseudo-class on the element (if the target is plugin content) or on the
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   842
host frame element and its ancestors (if the target is a nested document), check
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   843
whether the cursor has been hidden or changed to a possibly attacker-provided
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   844
bitmap.  If it has, proceed to <strong>Violation management</strong>.  This provides
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   845
protection against "Phantom cursor" attacks, also known as "Cursorjacking".
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   846
</li>
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   847
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   848
<li><strong>Obstruction check:</strong> Compare two sets of pixels: the
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   849
<strong><em>control image</em></strong> is the protected region as if it was
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   850
rendered alone, unobstructed by pixels originating from any other document
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   851
context.  If the protected regions were placed into their own backing store /
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   852
composited layer, this should be readily available, although the pixels may
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   853
need to be read back from the GPU to perform a comparision.  The <strong><em>user image
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   854
</em></strong> represents the same area as the <strong><em>control image</em>
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   855
</strong> in the outermost document's coordinate system and contains the final
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   856
set of common pixels for the fully rendered page.  The <strong><em>control
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   857
image</em></strong> can be acquired through operating system APIs or from the
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   858
compositor for the outermost document context.
22
f2bebd1307ff refine obstruction check description
bhill2
parents: 21
diff changeset
   859
These images are compared, and if the number of pixels that differ are below the
21
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   860
<code>tolerance</code> threshold associated with the <code>input-protection</code>
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   861
directive, proceed to deliver the event normally, otherwise proceed to
22
f2bebd1307ff refine obstruction check description
bhill2
parents: 21
diff changeset
   862
<strong>Violation management</strong>.  
f2bebd1307ff refine obstruction check description
bhill2
parents: 21
diff changeset
   863
f2bebd1307ff refine obstruction check description
bhill2
parents: 21
diff changeset
   864
    <p>Differences are computed at a pixel-by-pixel level. Any difference in the value
f2bebd1307ff refine obstruction check description
bhill2
parents: 21
diff changeset
   865
    of a pixel and it does not match.  For example, a protected area in blue
f2bebd1307ff refine obstruction check description
bhill2
parents: 21
diff changeset
   866
    overlayed entirely by cross-origin content in red at 1% opacity is considered to
f2bebd1307ff refine obstruction check description
bhill2
parents: 21
diff changeset
   867
    be 100% different, not 1% different.  If portions of the <strong><em>control
f2bebd1307ff refine obstruction check description
bhill2
parents: 21
diff changeset
   868
    image</em></strong> are clipped by the view port or otherwise occluded, all such pixels must be
f2bebd1307ff refine obstruction check description
bhill2
parents: 21
diff changeset
   869
    considered not to match.</p>
23
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   870
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   871
    <p>As a short-cut, a user agent MAY choose to treat any pixels in a protected layer with an
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   872
    opacity of less than 100% as failing to match by definition.  In cases where a fully-composited
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   873
    user view is not available or extremely expensive to calculate, this optimization allows
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   874
    the obstruction check to be performed with only a knowledge of the layers that fall on top of
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   875
    the protected layer.</p> 
21
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   876
</li>
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   877
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   878
 <li><strong>Violation management</strong> -
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   879
 If in report-only mode, set the <code>unsafe</code> property of the event been
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   880
 handled to <code>true</code> and let the event processing continue. Otherwise,
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   881
 prevent the event from reaching its target.  Create and send a violation report
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   882
 if a valid report-uri has been specified.
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   883
</li>
29
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
   884
</ol>
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
   885
    <p class="note" title="Implementation note">
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
   886
        Optimized and potentially cross-platform
21
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   887
	implementations of screen and cursor capturing and monitoring 
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   888
	regions for invalidation may be available as part of e.g. screen-
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   889
	sharing functionality through getUserMedia() [[MEDIACAPTURE]] or other
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   890
	remote desktop-type functionality available in certian user agents,
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   891
	e.g. the ScreenCapturer interface in Chromium.
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   892
    </p>
43644c06b379 Alternate input protection heuristic, new advice on xpath producation.
bhill2
parents: 20
diff changeset
   893
</section>
23
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   894
</section>
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   895
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   896
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   897
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   898
<section>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   899
<h2>Examples</h2>
0
6834f5e73e7b Checking in Brad's initial draft
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents:
diff changeset
   900
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   901
<section class=informative>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   902
<h3>Sample Policy Definitions</h3>
0
6834f5e73e7b Checking in Brad's initial draft
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents:
diff changeset
   903
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   904
<p>This section provides some sample use cases and accompanying security
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   905
policies.</p>
0
6834f5e73e7b Checking in Brad's initial draft
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents:
diff changeset
   906
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   907
<p>
9
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   908
A resource wishes to block delivery of UI events to the document unless its whole body
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   909
has been entirely visible (no tolerance) during the past 1 second (default display-time value):</p>
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   910
<pre class="example" title="Policy Header">Content-Security-Policy: input-protection</pre>
9
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   911
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   912
<p>A resource wishes to block delivery of UI events to the element with id "send-box", all the elements with class
9
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   913
".tweet" and all the forms in the page unless those elements have been visible for the past 800 milliseconds at least,
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   914
(their intrinsic sizes is used as a reference for screenshot comparison): </p>
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   915
<pre class="example" title="Policy Header">
9
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   916
Content-Security-Policy: input-protection display-time 800;
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   917
        input-protection-selectors #send-button, .tweet, form</pre>
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   918
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   919
<p>A resource wishes to block delivery of UI events
9
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   920
to any obstructed HTML button and suggests a 15% tolerance
8
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   921
threshold for determining obstruction of the element with a 200 pixels wide margin above and before (on the top and on the left,
da6b42199939 Major update: input-protection-padding and input-protection-selectors
Giorgio Maone <giorgio@maone.net>
parents: 7
diff changeset
   922
if orientation is LTR) the triggering element:</p>
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   923
<pre  class="example" title="Policy Header">Content-Security-Policy: input-protection tolerance=15;
9
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   924
                input-protection-selectors above=200 before=200 after=0 below=0 button, input[type=submit], input[type=button]</pre>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   925
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   926
<p>A resource wishes to receive reports when the
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   927
UI Security heuristic is triggered for any element in the <code>&lt;body&gt;</code>,
9
a2ce5fa6b5fb Major update: replace -padding with -clip and extend default screenshot area
Giorgio Maone <giorgio@maone.net>
parents: 8
diff changeset
   928
with the default 300 by 300 pixels clipped reference area and 0 tolerance:</p>
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   929
<pre  class="example" title="Policy Header">Content-Security-Policy-Report-Only: input-protection; input-protection-clip;
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   930
                                     report-uri https://example.com/csp-report?unique_id=XKSJ9KAAHJDK9928KKSJEQ</pre>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   931
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   932
<p>A resource wants to react to potential clickjacking
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   933
directly, without sending a report, so it sets a report-only header but does not 
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   934
specify a report-uri. When a <code>UIEvent</code> is sent, the <code>unsafe</code>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   935
attribute will still be set when the heuristic is triggered:</p>
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   936
<pre  class="example" title="Policy Header">Content-Security-Policy-Report-Only: input-protection</pre>
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   937
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   938
<p>A resource wants to allow itself to be embedded by <strong>ancestors</strong> that are same-origin or from the origin <code>https://checkout.example.com</code>, but also to have the <code>unsafe</code> attribute set on events that violate the <code>input protection</code> heuristic.</p>
31
cdfe8d12ba6b fixed section numbering issue and reference to obsolete frame-options directive
bhill2
parents: 30
diff changeset
   939
<pre  class="example" title="Policy Header">Content-Security-Policy: frame-ancestors 'self' https://checkout.example.com
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   940
Content-Security-Policy-Report-Only: input-protection </pre>
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   941
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   942
</section>
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   943
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   944
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   945
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   946
<section class=informative>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   947
<h3>Sample Violation Report</h3>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   948
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   949
<p>This section contains an example violation report the user agent might sent
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   950
to a server when the protected resource violations a sample policy.</p>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   951
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   952
<p>In the following example, a document from
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   953
<code>http://example.org/page.html</code> was rendered with the following CSP
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   954
policy:</p>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   955
<pre>input-protection; report-uri https://example.org/csp-report.cgi?unique_id=12345</pre>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   956
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   957
<p>A <code>click</code> violated the policy.</p>
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   958
<pre class="example" title="Sample violation report JSON body">{
0
6834f5e73e7b Checking in Brad's initial draft
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents:
diff changeset
   959
  "csp-report": {
6834f5e73e7b Checking in Brad's initial draft
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents:
diff changeset
   960
    "document-uri": "http://example.org/page.html",
6834f5e73e7b Checking in Brad's initial draft
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents:
diff changeset
   961
    "referrer": "http://evil.example.com/haxor.html",
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   962
    "blocked-event-type": "click",
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   963
    "blocked-event-client-x": "325",
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   964
    "blocked-event-client-y": "122",
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   965
    "touch-event": "false",
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   966
    "device-width": "800",
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   967
    "device-height": "300",
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
   968
    "blocked-target-xpath": "/html[0]/body[0]/div[6]/form[2]/input[0]",
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   969
    "violated-directive": "input-protection",
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
   970
    "original-policy": "input-protection; report-uri https://example.org/csp-report.cgi?unique_id=12345"
0
6834f5e73e7b Checking in Brad's initial draft
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents:
diff changeset
   971
  }
6834f5e73e7b Checking in Brad's initial draft
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents:
diff changeset
   972
}</pre>
23
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   973
</section>
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   974
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   975
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   976
<section>
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   977
<h3>Example Boundary Calculations for the Obstruction Check</h3>
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   978
<p>A resource at OriginX embeds a resource at OriginY. The OriginY resource has the following policy:</p>
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   979
<p><code>Content-Security-Policy: input-protection tolerance=50; input-protection-selectors div;</code></p>
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   980
<p>and results in the following layout:</p>
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   981
29
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
   982
<img src="1.svg" width="800" height="650" alt="Example frame layout."/>
23
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   983
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   984
<p>The element with the id "div1" has an <code>onClick</code> handler defined, and a click event is triggered
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   985
at 120,120 in the OriginX document's coordinate system.  The red dot indicates the position of the event.
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   986
The event is delivered to "div1", which matches the <code>input-protection-selectors</code>, and no parent of
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   987
"div1" matches.  As no <code>input-protection-clip</code> value is defined, the entire area of "div1" becomes the boundaries for
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   988
the <strong><em>obstruction check</em></strong>, indicated by the cyan fill.   As more than 50% of this
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   989
area is occluded behind the iframe viewport, and so does not match by definition, this will trigger a violation.</p>
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   990
29
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
   991
<img src="2.svg" width="800" height="650" alt="Example frame layout showing selector policy with an event."/>
23
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   992
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   993
<p>If the OriginY protected resource set the following policy, instead:</p>
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   994
<p><code>Content-Security-Policy: input-protection tolerance=50; input-protection-selectors div; input-protection-clip before=60 after=60 above=60 below=60;</code></p>
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   995
<p>The region for the <strong><em>obstruction check</em></strong>, still indicated in solid cyan, is now only 
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   996
the intersection of the boundaries of the protected element handling the event, indicated by diagonal cyan lines, and the clipping 
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   997
window around the event, indicated by the green dotted line. If the OriginX resource has not painted anything over the iframe viewport, this check will not trigger
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   998
a violation because the entire cyan area will be identical in the <strong><em>user image</em></strong> and <strong><em>control image</strong></em>.</p> 
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
   999
29
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
  1000
<img src="3.svg" width="800" height="650" alt="Example frame layout showing selector policy with an event."/>
23
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
  1001
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
  1002
<p>If the OriginY protected resource omitted selectors, as in this policy:</p>
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
  1003
<p><code>Content-Security-Policy: input-protection tolerance=50; input-protection-clip before=60 after=60 above=60 below=60;</code></p>
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
  1004
<p>The region for the <strong><em>obstruction check</em></strong>, still indicated in solid cyan, is now 
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
  1005
the intersection of the boundaries of the entire document, indicated by diagonal cyan lines, and the clipping 
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
  1006
window around the event, indicated by the green dotted line. This demonstrates that portions of the protected resource may be
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
  1007
included in the obstruction check region, even if they do not have event listeners.  Thus, the hit test rectangles which trigger the
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
  1008
heuristic do not necessarily compose the entire region that must be checked.</p>
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
  1009
<p>As in the previous example, if the OriginX resource has not painted anything over the iframe viewport, this check will not trigger
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
  1010
a violation because the entire cyan area will be identical in the <strong><em>user image</em></strong> and <strong><em>control image</strong></em>.</p> 
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
  1011
29
b2a9b33cad0a externalized, better svg accessiblity text, checking in LCWD
bhill2
parents: 27
diff changeset
  1012
<img src="4.svg" width="800" height="650" alt="Example frame layout showing selector policy with an event."/>
23
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
  1013
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
  1014
</section>
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
  1015
6e5a766786c0 Refined input-protection heuristics, added svg examples, updated XFO reference to RFC7034
bhill2
parents: 22
diff changeset
  1016
</section>
19
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
  1017
<section id="security-considerations" class=informative>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
  1018
<h2>Security Considerations</h2>
0
6834f5e73e7b Checking in Brad's initial draft
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents:
diff changeset
  1019
6834f5e73e7b Checking in Brad's initial draft
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents:
diff changeset
  1020
7
4076f83eb939 Major update to input-protection and some typo fixes
Giorgio Maone <giorgio@maone.net>
parents: 6
diff changeset
  1021
<p>UI Redressing and Clickjacking attacks rely on violating the contextual and temporal integrity of embedded content.  Because these attacks target the subjective perception of the user and not well-defined security boundaries, the heuristic protections afforded by the <code>input-protection</code> directive can never be 100% effective for every interface. It provides no protection against certain classes of attacks, such as displaying content around an embedded resource that appears to extend a trusted dialog but provides misleading information.<p>
0
6834f5e73e7b Checking in Brad's initial draft
David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
parents:
diff changeset
  1022
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
  1023
19
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
  1024
</section><section class=informative>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
  1025
<h2>Implementation Considerations</h2>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
  1026
6
5606233e4ede Updated Implementation Considerations to consider
bhill@L-SJN-00530327.corp.ebay.com
parents: 5
diff changeset
  1027
<p>The policy and intent of the user always takes precedence over the policy
5606233e4ede Updated Implementation Considerations to consider
bhill@L-SJN-00530327.corp.ebay.com
parents: 5
diff changeset
  1028
of resources.  In particular, transformations, customizations or enhancements
5606233e4ede Updated Implementation Considerations to consider
bhill@L-SJN-00530327.corp.ebay.com
parents: 5
diff changeset
  1029
of visual content made by the user agent or user-installed plugins SHOULD NOT cause the
5606233e4ede Updated Implementation Considerations to consider
bhill@L-SJN-00530327.corp.ebay.com
parents: 5
diff changeset
  1030
<code>input-protection</code> heuristic to be triggered.</p>
5606233e4ede Updated Implementation Considerations to consider
bhill@L-SJN-00530327.corp.ebay.com
parents: 5
diff changeset
  1031
5606233e4ede Updated Implementation Considerations to consider
bhill@L-SJN-00530327.corp.ebay.com
parents: 5
diff changeset
  1032
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
  1033
<p>Many UI Redressing and Clickjacking attacks rely on exploiting specific features of user agents, such as repositioning of the browsing window, hiding or creating fake cursors, and script-driven scrolling and content repositioning.  Not all attacks apply to all user agents in all contexts.  User agents are free to optimize or not implement suggested heuristics when they do not apply, for example:
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
  1034
<ul>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
  1035
	<li>Cursor integrity in a touch-only environment</li>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
  1036
	<li>Drag and drop protections for user agents where 
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
  1037
	<code>drag</code> is not a supported event type</li>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
  1038
	<li><code>ui-width</code> and <code>ui-height</code> values that exceed the
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
  1039
	capabilities of the browsing environment</li>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
  1040
</ul>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
  1041
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
  1042
<p>Some resource owners may specify a restrictive policy forbidding embedding in
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
  1043
user agents that only understand <code>X-Frame-Options</code> but be more 
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
  1044
permissive with user agents that implement UI Security directives.  User agents
7
4076f83eb939 Major update to input-protection and some typo fixes
Giorgio Maone <giorgio@maone.net>
parents: 6
diff changeset
  1045
that are aware of but choose not to implement any of the heuristics in this
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
  1046
document MAY still ignore <code>X-Frame-Options</code> when
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
  1047
presented in combination with UI Security directives in a Content Security Policy.
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
  1048
For example, a browsing environment that deliberately chooses not to implement 
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
  1049
UI Security features because they interfere with assistive technologies SHOULD NOT deny
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
  1050
users access to resources on this account.  User agents taking this stance SHOULD
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
  1051
implement the <code>unsafe</code> attribute of the <code>UIEvent</code> interface
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
  1052
as this may be interrogated by client applications doing feature detection.</p>
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
  1053
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
  1054
<p>In environments that support multiple, overlapping browser windows, attacks
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
  1055
may be mounted by positioning a target window under another, instructing the
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
  1056
user to double click, and closing the obstructing window with the first click.
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
  1057
[[CLICKJACKING-Unresolved]]  In such environments user agent
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
  1058
implementers may wish to use a native operating system screenshot facility to
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
  1059
calculate the user's view for the <strong>obstruction check</strong> phase of
16
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
  1060
the heuristic. In such cases user agents should take special caution to  
b130b384c66a Updated name to UI Safety, resolved many outstanding issues, cleanup.
bhill@L-SJN-00530327.corp.ebay.com
parents: 15
diff changeset
  1061
potential infereference from <a href=#accessibility>accessibility technologies</a></p>
5
b60afa40a19e Many changes, preparing for FPWD.
bhill@L-SJN-00530327.corp.ebay.com
parents: 4
diff changeset
  1062
7
4076f83eb939 Major update to input-protection and some typo fixes
Giorgio Maone <giorgio@maone.net>
parents: 6
diff changeset
  1063
<p>While this document describes a mechanism for resource authors to opt-in to 
19
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
  1064
User Interface Security protections, user agents MAY choose to opt-in resources
6
5606233e4ede Updated Implementation Considerations to consider
bhill@L-SJN-00530327.corp.ebay.com
parents: 5
diff changeset
  1065
to <code>input-protection</code> by default, or provide users with an option
19
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
  1066
to manually enable such protections.</p>
6
5606233e4ede Updated Implementation Considerations to consider
bhill@L-SJN-00530327.corp.ebay.com
parents: 5
diff changeset
  1067
19
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
  1068
<p>If a user agent or user chooses to apply input protection in the absence of
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
  1069
an explicit directive, violations SHOULD NOT cause a violation report to be
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
  1070
generated, even if the resource supplied a Content Security Policy with a 
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
  1071
<code>report-uri.</code></p>
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
  1072
f828d1ce0cde removed top-only, added script interfaces, updated
bhill@L-SJN-00530327.corp.ebay.com
parents: 18
diff changeset
  1073
<!--<p>In support of enabling default protection, user agents MAY, with appropriate
6
5606233e4ede Updated Implementation Considerations to consider
bhill@L-SJN-00530327.corp.ebay.com
parents: 5
diff changeset
  1074
user consent and privacy protections, gather large-scale data on when the
7
4076f83eb939 Major update to input-protection and some typo fixes
Giorgio Maone <giorgio@maone.net>
parents: 6
diff changeset
  1075
heuristic would have been triggered, if it had been enabled, for various values
6
5606233e4ede Updated Implementation Considerations to consider
bhill@L-SJN-00530327.corp.ebay.com
parents: 5
diff changeset
  1076
of the configurable hint parameters.  Such data would allow the user agent to
5606233e4ede Updated Implementation Considerations to consider
bhill@L-SJN-00530327.corp.ebay.com
parents: 5
diff changeset
  1077
determine what default settings can provide broad protection with an acceptable