OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

oslc-core message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: Click jacking guidelines in OSLC Delegated Dialog

I do believe delegated dialogs pose a specific problem beyond other pages that contain action buttons, in that delegated dialogs are specifically intended to be embedded in other web pages. The key consequence of this is that the protections that are usually available for preventing click jacking are not appropriate for delegated dialogs. Specifically. the protections to prevent the page (dialog) from being embedded in all other pages would prevent delegated dialogs from being used in a significant proportion of their uses.
 
Martin
 
----- Original message -----
From: Jim Amsden/Raleigh/IBM
To: Martin P Pain/UK/IBM@IBMGB, Ian Green1/UK/IBM@IBMGB
Cc: "OSLC Core TC (oslc-core@lists.oasis-open.org)" <oslc-core@lists.oasis-open.org>
Subject: Click jacking guidelines in OSLC Delegated Dialog
Date: Thu, Feb 18, 2016 5:30 PM
 
Ian,
Regarding OSLCCORE-40 Potential click jacking issue for delegated dialogs, you indicated the click jacking section in the Delegated Dialog specification needs some clarification/update.

We discussed this on the Core TC call today and concluded:

1. There are many possible security issues with any application built on the WWW technologies (HTTP, REST, LDP, etc.)
2. OSLC specifications should only address unique security issues exposed by OSLC introduced capabilities, such as Delegated Dialogs.
3. The TC does not believe that OSLC delegated dialogs increases the risk for click jacking any more than any other Web application that includes UI that has action buttons.
4. Therefore the Click Jacking section in the Delegated Dialog specification, although useful information, introduces no normative content, and may be unnecessary.

So we have a couple of choices:

1. Consider the section unnecessary and remove it from the specification.
2. Leave the section and provide specific recommendations for updating it in order to close the issue and proceed to public review

@Martin, and @Ian: do either of you have a preference on which way to go, and if its to leave the section, do you have specific recommendations for update?

Based on your feedback, the Core TC will review this issue, perhaps through further emails, and have a vote whether to accept as updated, or remove the section.



Jim Amsden, Senior Technical Staff Member
OSLC and Linked Lifecycle Data
919-525-6575
 
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]