OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

oslc-core message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Click jacking guidelines in OSLC Delegated Dialog

Regarding OSLCCORE-40 Potential click jacking issue for delegated dialogs, you indicated the click jacking section in the Delegated Dialog specification needs some clarification/update.

We discussed this on the Core TC call today and concluded:

1. There are many possible security issues with any application built on the WWW technologies (HTTP, REST, LDP, etc.)
2. OSLC specifications should only address unique security issues exposed by OSLC introduced capabilities, such as Delegated Dialogs.
3. The TC does not believe that OSLC delegated dialogs increases the risk for click jacking any more than any other Web application that includes UI that has action buttons.
4. Therefore the Click Jacking section in the Delegated Dialog specification, although useful information, introduces no normative content, and may be unnecessary.

So we have a couple of choices:

1. Consider the section unnecessary and remove it from the specification.
2. Leave the section and provide specific recommendations for updating it in order to close the issue and proceed to public review

@Martin, and @Ian: do either of you have a preference on which way to go, and if its to leave the section, do you have specific recommendations for update?

Based on your feedback, the Core TC will review this issue, perhaps through further emails, and have a vote whether to accept as updated, or remove the section.

Jim Amsden, Senior Technical Staff Member
OSLC and Linked Lifecycle Data

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]