Three minor comments

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Three minor comments

Philippe De Ryck-2
The following comment contains detailed information about a few issues
that were identified during a recent security analysis of 13 W3C
standards, organized by ENISA (European Network and Information Security
Agency), and performed by the DistriNet Research Group (K.U. Leuven,
Belgium).

The complete report is available at http://www.enisa.europa.eu/html5
(*), and contains information about the process, the discovered
vulnerabilities and recommendations towards improving overall security
in the studied specifications.

 Issues
--------

HTML5EL-SECURE-2.Menu Integration: A web application can define
contextual and toolbar menus. The specification does not mention many
implementation details. A user agent may implement integrate these menus
with its own user interface, especially on small displays such as
smartphones. This may confuse a user and may present malicious or
erroneous menu items.

HTML5EL-SECURE-3.Keygen Scenarios: The specification does not provide
enough details about the keygen element. No concrete usage scenarios
(from keygen to actual use of the key) or implementation requirements
(e.g. storage of private keys) are provided.

HTML5EL-USER-1.Overriding Sandbox: Sandboxed content is not allowed to
load plugin content. The specification of the embed element however
states that a user agent may allow the user to override this for a
specific content item, but the user agent should warn the user that this
could be dangerous. The override option is only briefly mentioned as
part of the description of the embed element, but is also an important
aspect of the sandbox attribute. The spec should either mention this
with the sandbox attribute or refer to the embed element.


(*) HTML version of the report is available as well:
https://distrinet.cs.kuleuven.be/projects/HTML5-security/
--
Philippe De Ryck
K.U.Leuven, Dept. of Computer Science


Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm

Reply | Threaded
Open this post in threaded view
|

Re: Three minor comments

Michael[tm] Smith
In response to the following message:

  http://www.w3.org/mid/1312393604.16132.5.camel@maverick

... the following bug has been raised in the W3C Bugzilla database:

  http://www.w3.org/Bugs/Public/show_bug.cgi?id=13698

You are encouraged to add yourself to the CC List for the bug -- which
will require that you create a W3C Bugzilla user account (if you don't
have one already):

  http://www.w3.org/Bugs/Public/createaccount.cgi

Reply | Threaded
Open this post in threaded view
|

Re: Three minor comments

Michael[tm] Smith
In reply to this post by Philippe De Ryck-2
Hi Philippe,

Note that Hixie has responded to your comment and noted that he doesn't
understand the third part of your comment (HTML5EL-USER-1.Overriding
Sandbox):

  http://www.w3.org/Bugs/Public/show_bug.cgi?id=13698#c1

If you others familiar with content of the comments could post a follow-up
comment to that bug, that would be great.

  --Mike

Philippe De Ryck <[hidden email]>, 2011-08-03 19:46 +0200:

> The following comment contains detailed information about a few issues
> that were identified during a recent security analysis of 13 W3C
> standards, organized by ENISA (European Network and Information Security
> Agency), and performed by the DistriNet Research Group (K.U. Leuven,
> Belgium).
>
> The complete report is available at http://www.enisa.europa.eu/html5
> (*), and contains information about the process, the discovered
> vulnerabilities and recommendations towards improving overall security
> in the studied specifications.
>
>  Issues
> --------
>
> HTML5EL-SECURE-2.Menu Integration: A web application can define
> contextual and toolbar menus. The specification does not mention many
> implementation details. A user agent may implement integrate these menus
> with its own user interface, especially on small displays such as
> smartphones. This may confuse a user and may present malicious or
> erroneous menu items.
>
> HTML5EL-SECURE-3.Keygen Scenarios: The specification does not provide
> enough details about the keygen element. No concrete usage scenarios
> (from keygen to actual use of the key) or implementation requirements
> (e.g. storage of private keys) are provided.
>
> HTML5EL-USER-1.Overriding Sandbox: Sandboxed content is not allowed to
> load plugin content. The specification of the embed element however
> states that a user agent may allow the user to override this for a
> specific content item, but the user agent should warn the user that this
> could be dangerous. The override option is only briefly mentioned as
> part of the description of the embed element, but is also an important
> aspect of the sandbox attribute. The spec should either mention this
> with the sandbox attribute or refer to the embed element.
>
>
> (*) HTML version of the report is available as well:
> https://distrinet.cs.kuleuven.be/projects/HTML5-security/
> --
> Philippe De Ryck
> K.U.Leuven, Dept. of Computer Science
>
>
> Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm

--
Michael[tm] Smith
http://people.w3.org/mike/+