Click jacking guidelines in OSLC Delegated Dialog

["Jim Amsden" <jamsden@us.ibm.com>]

Ian,
Regarding OSLCCORE-40
Potential click jacking issue for delegated dialogs,
you indicated the click
jacking section in the Delegated
Dialog specification needs some clarification/update.

We discussed this on the Core TC call
today and concluded:

1. There are many possible security
issues with any application built on the WWW technologies (HTTP, REST,
LDP, etc.)
2. OSLC specifications should only address
unique security issues exposed by OSLC introduced capabilities, such as
Delegated Dialogs.
3. The TC does not believe that OSLC
delegated dialogs increases the risk for click jacking any more than any
other Web application that includes UI that has action buttons.
4. Therefore the Click Jacking section
in the Delegated Dialog specification, although useful information, introduces
no normative content, and may be unnecessary.

So we have a couple of choices:

1. Consider the section unnecessary
and remove it from the specification.
2. Leave the section and provide specific
recommendations for updating it in order to close the issue and proceed
to public review

@Martin, and @Ian: do either of you
have a preference on which way to go, and if its to leave the section,
do you have specific recommendations for update?

Based on your feedback, the Core TC
will review this issue, perhaps through further emails, and have a vote
whether to accept as updated, or remove the section.



Jim Amsden, Senior Technical Staff Member
OSLC and Linked Lifecycle Data
919-525-6575