incorporate edits from W3C team
authorbhill@L-SJN-00530327.corp.ebay.com
Mon, 04 Mar 2013 14:59:21 -0800
changeset 15 58d25d8b72e1
parent 14 ca2e54aaf765
child 16 b130b384c66a
incorporate edits from W3C team
user-interface-safety.html
--- a/user-interface-safety.html	Mon Nov 19 16:30:24 2012 -0800
+++ b/user-interface-safety.html	Mon Mar 04 14:59:21 2013 -0800
@@ -14,10 +14,10 @@
       var respecConfig = {
         // specification status (e.g. WD, LCWD, NOTE, etc.). If in doubt use ED.
         // Member-SUBM
-        specStatus: "FPWD",
+        specStatus: "WD",
 
         // the specification's short name, as in http://www.w3.org/TR/short-name/
-        shortName:  "User Interface Safety",
+        shortName:  "UISecurity",
 
         // if your specification has a subtitle that goes below the main
         // formal title, define it here
@@ -91,7 +91,7 @@
 "CLEARCLICK" : "G. Maone <a href=\"http://noscript.net/downloads/ClearClick_WAS2012_rv2.pdf\"><cite>ClearClick: Effective Client-Side Protection Against UI Redressing Attacks</cite></a>. (Work in progress.) URL: <a href=\"http://noscript.net/downloads/ClearClick_WAS2012_rv2.pdf\">http://noscript.net/downloads/ClearClick_WAS2012_rv2.pdf</a>",
 "UIREDRESS" : "M. Zalewski <a href=\"http://code.google.com/p/browsersec/wiki/Part2#Arbitrary_page_mashups_(UI_redressing)\"><cite>Browser Security Handbook, part 2</cite></a>. URL: <a href=\"http://code.google.com/p/browsersec/wiki/Part2#Arbitrary_page_mashups_(UI_redressing)\">http://code.google.com/p/browsersec/wiki/Part2#Arbitrary_page_mashups_(UI_redressing)</a>",
 "FRAMEBUSTING" : "Boneh, et al. <a href=\"http://seclab.stanford.edu/websec/framebusting/\"><cite>Busting frame busting: a study of clickjacking vulnerabilities at popular sites</cite></a>. URL: <a href=\"http://seclab.stanford.edu/websec/framebusting/\">http://seclab.stanford.edu/websec/framebusting/</a>",
-"INCONTEXT" : "Lin-Shung Huang, et al. <a href=\"https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final39.pdf\"><cite>Clickjacking:Attacks and Defenses</cite></a> published in the 21st USENIX Security Symposium Proceedings.  URL: <a href=\"https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final39.pdf\">https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final39.pdf</a>"
+"INCONTEXT" : "Lin-Shung Huang, et al. <a href=\"https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final39.pdf\"><cite>Clickjacking:Attacks and Defenses</cite></a> published in the 21st USENIX Security Symposium Proceedings.  URL: <a href=\"https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final39.pdf\">https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final39.pdf</a>","SELECTORS4" : "Elika J. Etemad. <a href=\"http://www.w3.org/TR/2011/WD-selectors4-20110929/\"><cite>Selectors Level 4.</cite></a> 29 September 2011. W3C Working Draft. (Work in progress.) URL: <a href=\"http://www.w3.org/TR/2011/WD-selectors4-20110929/\">http://www.w3.org/TR/2011/WD-selectors4-20110929/</a>" 
 		     }
 
 
@@ -278,8 +278,7 @@
 
 <p>A <dfn id=selector-string>selector string</dfn> is a list of one or more
   <a href="http://dev.w3.org/csswg/selectors4/#complex">complex
-  selectors</a> (<a href="#bib-SELECTORS4"
-  rel=biblioentry>[SELECTORS4]<!--{{!SELECTORS4}}--></a>, section 3.1) that
+  selectors</a>(see [[SELECTORS4]], section 3.1) that
   <em class=ct>may</em> be surrounded by whitespace and matches the
   <code>dom_selectors_group</code> production.
 </p>
@@ -374,7 +373,6 @@
 should result in the event being delivered with the <code>unsafe</code> 
 attribute on the <code>UIEvent</code> set to <code>true</code>
 and cause a violation report to be sent.</p>
-</p>
 
 <p>The optional directive value allow resource authors to provide <a href="#input-protection-options">options</a> for heuristic tuning
 in the form of space-separated <code>option-name=option-value</code> pairs. </p>
@@ -405,8 +403,9 @@
 threshold at which the screenshot comparison procedure of the input protection
 heuristic triggers a violation. A value of 0 indicates that no difference
 between the two images is permitted. A value of 99 provides little to no
-practical protection. If not specified, it defaults to 0.</p>
+practical protection. If not specified, it defaults to 0.
 </dd>
+</dl>
 </section>
 
 <section id="input-protection-clip">
@@ -422,7 +421,6 @@
 <p>If explicitly set as part of a policy where no <code>input-protection</code>
 directive is explicitly set, the <code>input-protection-clip</code> directive
 implies the <code>input-protection</code> directive as if it was set in the same policy with its default value.</p>
-</p>
 
 <pre>
 directive-name  = "input-protection-clip"
@@ -521,13 +519,13 @@
 following additional steps MUST be added to the algorithm defined in
 Content Security Policy to <em>prepare a violation report</em>:</p>
 
-</p>In step 1, when preparing the JSON object <em>violation-object</em>,
+<p>In step 1, when preparing the JSON object <em>violation-object</em>,
 add the following keys and values to the <dfn>csp-report</dfn>: [[!CSP]]</p>
 
 <p>If the violation is of the <code>frame-options</code> directive, add the
 following keys and values:</p>
 
-<ul><dl>
+<dl>
 	<dt>frame-options</dt>
 	<dd><em>No value.</em></dd>
 	<p class="issue">
@@ -535,21 +533,23 @@
 is currently allowed by the Same Origin Policy.  Is there a safe way
 to provide more meaningful information?
 </p>
-</dl></ul>
+</dl>
 
 <p>If the violation is of the <code>input-protection</code> directive, add
 the following keys and values:</P>
 
-<ul><dl>
+<dl>
 	<dt>blocked-event-type</dt>
 	<dd>The <code>type</code> attribute of the <code>UIEvent</code> that was blocked by policy.</dd>
 
 	<dt>touch-event</dt>
 	<dd>A <dfn>boolean</dfn> indicating whether the event blocked by policy was a <dfn>Touch Event</dfn> [[TOUCH-EVENTS]].</dd>
+</dl>
 
 <p class="issue">
 Need to harmonize with the new Pointer Events WG specs.
 </p>
+<dl>
 	<dt>client-height</dt>
 	<dd>The <code>document.documentElement.clientHeight</code> property
 	as defined in <em>TODO</em>.</dd>
@@ -564,26 +564,26 @@
 	<dt>blocked-event-client-y</dt>
 	<dd>The <code>clientY</code> attribute of the <code>UIEvent</code> that was blocked by policy, if set.</dd>
 
-</dl></ul>
+</dl>
 
 <p class="issue">What standard defines these attributes?</p>
 
 <p>If the target of an <code>UIEvent</code> which triggers an <code>input-protection</code> violation has an explictly-set <code>id</code> attribute:
 
 
-<ul><dl>
+<dl>
 	<dt>blocked-target-id</dt>
 	<dd>The <code>id</code> attribute of the DOM Element that a violating
 	<code>UIEvent</code> targeted.</dd>
-</dl></ul>
+</dl>
 
 <p>Otherwise, if the target element does not have an explicit <code>id</code> attribute:
 
-<ul><dl>
+<dl>
 	<dt>blocked-target-xpath</dt>
 	<dd>An XPath [[!XPATH]] expression that returns the target <code>Element</code> of the <code>UIEvent</code>
 	that was blocked by policy. <em>TODO: describe the algorithm to do this here</em></dd>
-</dl></ul>
+</dl>
 
 
 </section>
@@ -881,7 +881,6 @@
 enforcement of the <strong>Input Protection Heuristic</strong> if it 
 interferes with their chosen accessibility technologies.</p>
 
-</p>
 </section>
 
 </section><section>
@@ -896,41 +895,12 @@
 of the Content-Security-Policy and Content-Security-Policy-Report-Only headers, so
 no updates to the permanent message header field registry (see [<a
 href="http://tools.ietf.org/html/rfc3864">RFC3864</a>]) are required.
-</section></section>
-
-<h2 class=no-num id=references>References</h2>
-
-  <h3 class=no-num id=normative-references>Normative references</h3>
-  <!--begin-normative-->
-  <!-- Sorted by label -->
-
-  <dl class=bibliography>
-   <dt style="display: none"><!-- keeps the doc valid if the DL is empty -->
-    <!---->
-    
-   <dt id=bib-RFC2119>[RFC2119]
+</p>
 
-   <dd>S. Bradner. <a href="http://www.ietf.org/rfc/rfc2119.txt"><cite>Key
-    words for use in RFCs to Indicate Requirement Levels.</cite></a> Internet
-    RFC 2119. URL: <a
-    href="http://www.ietf.org/rfc/rfc2119.txt">http://www.ietf.org/rfc/rfc2119.txt</a>
-    </dd>
-   <!---->
-
-   <dt id=bib-SELECTORS4>[SELECTORS4]
+</section>
 
-   <dd>Elika J. Etemad. <a
-    href="http://www.w3.org/TR/2011/WD-selectors4-20110929/"><cite>Selectors
-    Level 4.</cite></a> 29 September 2011. W3C Working Draft. (Work in
-    progress.) URL: <a
-    href="http://www.w3.org/TR/2011/WD-selectors4-20110929/">http://www.w3.org/TR/2011/WD-selectors4-20110929/</a>
-    </dd>
-   <!---->
-
-  </dl>
-  <!--end-normative-->
-
-
+<section class='appendix'>
+</section>
 
 </body>
 </html>