Nytro Posted May 23, 2013 Report Posted May 23, 2013 [h=1]User Interface Security Directives for Content Security Policy[/h][h=2]W3C Working Draft 23 May 2013[/h] This version:User Interface Security Directives for Content Security PolicyLatest published version:User Interface Security Directives for Content Security PolicyLatest editor's draft:http://dvcs.w3.org/hg/user-interface-safety/raw-file/tip/user-interface-safety.htmlPrevious version:User Interface Safety Directives for Content Security PolicyEditors:Giorgio Maone, Invited ExpertDavid Lin-Shung Huang, Carnegie Mellon UniversityTobias Gondrom, Invited ExpertBrad Hill, PayPal Inc. Copyright © 2012-2013 W3C® (MIT, ERCIM, Keio, Beihang), All Rights Reserved. W3C liability, trademark and document use rules apply. [h=2]Abstract[/h] This document defines directives for the Content Security Policy mechanism to declare a set of input protections for a web resource's user interface, defines a non-normative set of heuristics for Web user agents to implement these input protections, and a reporting mechanism for when they are triggered. [h=2]Status of This Document[/h] This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at All Standards and Drafts - W3C. This is a Working Draft of the User Interface Security Directives for Content Security Policy. [CSP] Portions of the technology described in this document were originally developed as part of X-Frame-Options [XFRAMEOPTIONS], the ClearClick module of the Mozilla Firefox add-on NoScript, [CLEARCLICK] and in the InContext system implemented experimentally in Internet Explorer [INCONTEXT]. In addition to the documents in the W3C Web Application Security working group, the work on this document is also informed by the work of the IETF websec working group, particularly that working group's requirements document: draft-hodges-websec-framework-reqs. This document was published by the Web Application Security Working Group as a Working Draft. This document is intended to become a W3C Recommendation. If you wish to make comments regarding this document, please send them to public-webappsec@w3.org (subscribe, archives). All comments are welcome. Publication as a Working Draft does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress. This document was produced by a group operating under the 5 February 2004 W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy. [h=2]Table of Contents[/h]1. Introduction2. Conformance2.1 Terminology[*]3. Directives3.1 frame-options3.1.1 Multiple Host Source Values[*]3.2 input-protection[*]3.3 input-protection-clip[*]3.4 input-protection-selectors[*]3.5 report-uri3.5.1 Producing blocked-target-xpath[*]4. DOM interface[*]5. Script Interfaces5.1 SecurityPolicyViolationEvent Events5.1.1 Attributes5.1.2 Dictionary SecurityPolicyViolationEventInit Members[*]5.2 SecurityPolicy5.2.1 Attributes[*]6. Input Protection Heuristic6.1 Preparation6.2 UI Event handling6.3 Examples6.3.1 Sample Policy Definitions6.3.2 Sample Violation Report[*]6.4 Security Considerations[*]6.5 Implementation Considerations6.5.1 Accessibility Technologies[*]6.6 Implementation Considerations for Resource Authors[*]6.7 IANA Considerations[*]A. ReferencesA.1 Normative referencesA.2 Informative referencesLink: User Interface Security Directives for Content Security Policy Quote
