-
-
- Let |this| be a new {{VisibilityObserver}} object -
- Set |this|'s internal {{[[callback]]}} slot to |callback|. -
+ : new VisibilityObserver(callback, options)
+ ::
+
-
+
- Let |this| be a new {{VisibilityObserver}} object +
- Set |this|'s internal {{[[callback]]}} slot to |callback|. +
-
-
- Add |this| to the document's {{[[RegisteredVisibilityObservers]]}} list +
- Add |this| to the document's {{[[RegisteredVisibilityObservers]]}} list
The VisibilityObserverInit dictionary
- dictionary VisibilityObserverInit {
- (double or sequence<double>) areaThreshold = 0;
- (boolean) displacementAware = false;
- (DOMString) visibleMargin = "0px";
- (Element)? observedElement;
- };
+ dictionary VisibilityObserverInit {
+ (double or sequence<double>) areaThreshold = 0;
+ (boolean) displacementAware = false;
+ (DOMString) visibleMargin = "0px";
+ (Element)? observedElement;
+ };
@@ -330,57 +331,57 @@ spec:dom; type:interface; text:Document
: visibleMargin
::
- Same as 'margin', extends the required visibility rectangle
- behind the protected-element.{{Element/getBoundingClientRect()}}.
- Can be 1, 2, 3 or 4 components, possibly negative lengths.
-
- If there is only one component value, it applies to all sides.
- If there are two values, the top and bottom margins are set to
- the first value and the right and left margins are set to the
- second. If there are three values, the top is set to the first
- value, the left and right are set to the second, and the bottom
- is set to the third. If there are four values, they apply to the
- top, right, bottom, and left, respectively.e.g.
-
+
-
- "5px" // all margins set to 5px
- "5px 10px" // top & bottom = 5px, right & left = 10px
- "-10px 5px 8px" // top = -10px, right & left = 5px, bottom = 8px
- "-10px -5px 5px 8px" // top = -10px, right = -5px, bottom = 5px, left = 8px
-
-
+ Same as 'margin', extends the required visibility rectangle
+ behind the protected-element.{{Element/getBoundingClientRect()}}.
+ Can be 1, 2, 3 or 4 components, possibly negative lengths.
+
+ If there is only one component value, it applies to all sides.
+ If there are two values, the top and bottom margins are set to
+ the first value and the right and left margins are set to the
+ second. If there are three values, the top is set to the first
+ value, the left and right are set to the second, and the bottom
+ is set to the third. If there are four values, they apply to the
+ top, right, bottom, and left, respectively.e.g.
+
+
+ "5px" // all margins set to 5px
+ "5px 10px" // top & bottom = 5px, right & left = 10px
+ "-10px 5px 8px" // top = -10px, right & left = 5px, bottom = 8px
+ "-10px -5px 5px 8px" // top = -10px, right = -5px, bottom = 5px, left = 8px
+
+
: observedElement
::
The {{Element}} being observed. If unset, the internal slot will be
initialized to the {{Document}} element.
- Content Security Policy Interface
+Content Security Policy Interface
- This section describes the Content Security Policy - directive introduced in this specification to provide declarative - configuration of protection against input when an element does not meet it's - visibility requirements. + This section describes the Content Security Policy + directive introduced in this specification to provide declarative + configuration of protection against input when an element does not meet it's + visibility requirements. - The optional directive-value allows configuration of conditions for which violations - will be triggered. + The optional directive-value allows configuration of conditions for which violations + will be triggered. -The input-protection Directive
+The input-protection Directive
directive-name = 'input-protection' @@ -398,21 +399,21 @@ spec:dom; type:interface; text:Document protected area is below this threshold. Threshold values must be in the range [0, 1.0] and represent a - percentage of the area as specified by + percentage of the area as specified by protected-element.{{Element/getBoundingClientRect()}}, adjusted by visible-margin. Unlike the imperative API, only a single value may be specified. protected-element A {{DOMString}} used as the argument to {{NonElementParentNode/getElementById()}} - to resolve the {{Element}} to which the policy applies. + to resolve the {{Element}} to which the policy applies. If unspecified the policy is applied to the resource's {{Document}} node. time-threshold A numeric value in the range [0, 10000] that specifies how long, in milliseconds, the screen area containing the protected-element - must have unmodified viewiability properties when an event is + must have unmodified viewiability properties when an event is delivered to it or one of its ancestors. If not specified, it defaults to 800. If a value outside of the @@ -421,18 +422,18 @@ spec:dom; type:interface; text:Document visible-margin Same as {{VisibilityObserverInit/visibleMargin}}. - + If unspecified, it defaults to "0px".
Element
{{Element}} objects have an internal \[[InputProtectionObservers]] list, @@ -465,7 +466,7 @@ spec:dom; type:interface; text:Document- \[[QueuedEntries]] which is initialized to an empty list -
- \[[previousVisibleRatio]] +
- \[[previousVisibleRatio]] which is initialized to 0
- \[[previousGlobalViewportPosition]]
-
-
- \[[timeThreshold]] -
- \[[associatedContentSecurityPolicy]] -
-
+
- \[[timeThreshold]] +
- \[[associatedContentSecurityPolicy]] +
Algorithms
@@ -499,36 +500,39 @@ spec:dom; type:interface; text:Document task to notify visibility observers in the list of idle request callbacks with an appropriate |timeout|. - Issue: Should we define an appropriate |timeout|? + Issue: Should we define an appropriate |timeout|?Notify VisibilityObservers
- To notify visibility observers for a + To notify visibility observers for a unit of related similar-origin browsing contexts |unit|, run these steps:- Set |unit|'s VisibilityObserverTaskQueued flag to false. -
- For each {{Document}} |document| in |unit| -
- Let |notify list| be a copy of |document|'s {{[[RegisteredVisibilityObservers]]}} +
- For each {{Document}} |document| in |unit|
+
-
+
- Let |notify list| be a copy of |document|'s {{[[RegisteredVisibilityObservers]]}} list. -
- For each {{VisibilityObserver}} object |observer| in - |notify list|, run these steps: +
- For each {{VisibilityObserver}} object |observer| in
+ |notify list|, run these steps:
- If |observer|'s internal {{[[QueuedEntries]]}} slot is - empty, continue. + empty, continue.
- Let |queue| be a copy of |observer|'s internal - {{[[QueuedEntries]]}} slot. + {{[[QueuedEntries]]}} slot.
- Clear |observer|'s internal {{[[QueuedEntries]]}} slot.
- Invoke |callback| with |queue| as the first argument and - |observer| as the second argument and - callback this value. If this throws an exception, - report the exception. + |observer| as the second argument and + callback this value. If this throws an exception, + report the exception.
-
-
Queue a VisibilityObserverEntry
@@ -545,16 +549,16 @@ spec:dom; type:interface; text:Document This section is non-normative.
- NOTE: The full internal details of rendering a document to the pixels
- actually displayed to the user is not standardized. UA implementations
+ NOTE: The full internal details of rendering a document to the pixels
+ actually displayed to the user is not standardized. UA implementations
may vary widely.
- The implementation strategy detailed in this section is not normative. Any
- strategy which produces correct outcomes for the normative algorithms is
+ The implementation strategy detailed in this section is not normative. Any
+ strategy which produces correct outcomes for the normative algorithms is
conformant and implementers are encouraged to optimize whenever possible.
The possibility of variance among user agent implementations notwithstanding,
- the normative algorithms of this specification are designed such that a highly performant
+ the normative algorithms of this specification are designed such that a highly performant
implementation should be possible on the most common internal software and hardware
architectures that are state-of-the-art for user agents and consumer computing
platforms as of the time of writing.
@@ -564,104 +568,107 @@ spec:dom; type:interface; text:Document
rendering of the global viewport is delgated to a a Graphics Processing Unit (GPU)
using higher-level abstractions like surfaces, polygons, and vectors. As a consequence,
the main execution context of the user agent does not "know" what pixels actually result
- without reading them back. System architectures are optimized for sending data
+ without reading them back. System architectures are optimized for sending data
to a GPU, not returning data from it, therefore, approaches which rely on pixel comparisons
- are likely to have an unacceptable performance cost. Instead, the approach detailed
- here relies on correctness by design, by manipulating the order in which instructions
+ are likely to have an unacceptable performance cost. Instead, the approach detailed
+ here relies on correctness by design, by manipulating the order in which instructions
are sent to the GPU such that malicious interference is not possible.
Generally, at some point in the rendering of a set of documents in nested browsing
contexts into the fully composed graphical representation in the global viewport,
- a user agent will arrive at a set of intermediate representations we will designate
+ a user agent will arrive at a set of intermediate representations we will designate
as GraphicsLayers, each of which represents a graphical surface to be
painted / clipped / scrolled.
A GraphicsLayer representing the contents of a document in an iframe will
- be arranged in the layer stack such that at a later phase in the rendering
- it is automatically clipped and positioned relative to the series of viewports
+ be arranged in the layer stack such that at a later phase in the rendering
+ it is automatically clipped and positioned relative to the series of viewports
above it, and also subject to being drawn over or transformed by the layers above it.
To prevent potentially malicious composition, the user agent can
promote observed graphicsLayers by manipulating them such that
a document with {{[[RegisteredVisibilityObservers]]}}
-
-
- Is clipped and positioned as-if-unmodified within the set of viewports of its ancestor - browsing contexts. A promoted document should not be able to occupy more - screen real estate than it is given by its embedding contexts. +
- Is clipped and positioned as-if-unmodified within the set of viewports of its ancestor + browsing contexts. A promoted document should not be able to occupy more + screen real estate than it is given by its embedding contexts.
- Responds to hit testing and events as-if-unmodified. Implementation-specific modifications - to internal representations of the document should not change the behavior of the DOM. + to internal representations of the document should not change the behavior of the DOM.
- Is not subject to being drawn over or transformed by any other GraphicsLayers, - except other promoted layers, which should be treated as fully opaque occlusions - when reporting the visibility state of the document. + except other promoted layers, which should be treated as fully opaque occlusions + when reporting the visibility state of the document.
-
-
- For each |graphicsLayer| in |graphicsLayers| -
- For each {{Document}} |document| with an intermediate representation in |graphicsLayer| +
- For each |graphicsLayer| in |graphicsLayers| +
- For each {{Document}} |document| with an intermediate representation in |graphicsLayer|
-
-
- If |document| has an empty list of {{[[RegisteredVisibilityObservers]]}}, continue. -
- If |document| has a non-empty list of {{[[RegisteredVisibilityObservers]]}} +
- If |document| has an empty list of {{[[RegisteredVisibilityObservers]]}}, continue. +
- If |document| has a non-empty list of {{[[RegisteredVisibilityObservers]]}}
- If |document| is not the only {{Document}} represented in |graphicsLayer|, apply - whatever implementation-specific steps are necessary to place it in its own layer. - (e.g. apply translatez(0) to the documentElement) Let |graphicsLayer| be that - new layer. + whatever implementation-specific steps are necessary to place it in its own layer. + (e.g. apply translatez(0) to the documentElement) Let |graphicsLayer| be that + new layer.
- Let |rectToRaise| be the value of |document|.{{Element/getBoundingClientRect()}}.
- Intersect |rectToRaise| with |document|'s viewport clip rect.
- For every parent browsing context |parent| between |document| and the top-level document, - intersect |rectToRaise| with |parent|'s viewport clip rect, - and finally with the global viewport clip rect. + intersect |rectToRaise| with |parent|'s viewport clip rect, + and finally with the global viewport clip rect.
- Clip |graphicsLayer| to |rectToRaise|. (|graphicsLayer| may have zero width and height - if it is scrolled off screen by an ancestor browsing context) -
- Intersect |rectToRaise| with any items in the |promotedLayers| list. + if it is scrolled off screen by an ancestor browsing context) +
- Intersect |rectToRaise| with any items in the |promotedLayers| list.
- Add |rectToRaise| to the |promotedLayers| list. -
- Without reordering prior intermediate representations in a manner which would - change event dispatching, hit testing, or the DOM as exposed to JavaScript, reorder - the GraphicsLayers such that |rectToRaise| is on top of the root GraphicsLayer. - (e.g. by making it a direct child of the root layer) but beneath any layers in |promotedLayers| - that clipped it. +
- Without reordering prior intermediate representations in a manner which would + change event dispatching, hit testing, or the DOM as exposed to JavaScript, reorder + the GraphicsLayers such that |rectToRaise| is on top of the root GraphicsLayer. + (e.g. by making it a direct child of the root layer) but beneath any layers in |promotedLayers| + that clipped it.
- Let |protectedRect| be the value of |observer|'s {{[[observedElement]]}}.{{Element/getBoundingClientRect()}}, - adjusted by {{[[visibleMargin]]}}. + adjusted by {{[[visibleMargin]]}}.
- Let |visibleRatio| be the intersection of |protectedRect| with |rectToRaise|, divided by |protectedRect| - if |protectedRect| is non-zero, and 0 otherwise. -
- For each of |document|'s {{[[RegisteredVisibilityObservers]]}} |observer| + if |protectedRect| is non-zero, and 0 otherwise. +
- For each of |document|'s {{[[RegisteredVisibilityObservers]]}} |observer|
-
-
- Let |threshold| be the index of the first entry in - |observer|'s internal {{[[areaThreshold]]}} slot whose value - is greater than or equal to |visibleRatio|. If - |visibleRatio| is equal to 0, let |threshold| be - -1. -
- Let |oldVisibleRatio| be set to |observer|'s internal - {{[[previousVisibleRatio]]}} slot. -
- Let |oldThreshold| be the index of the first entry in - |observer|'s internal {{[[areaThreshold]]}} slot whose value - is greater than or equal to |oldVisibleRatio|. If - |oldVisibleRatio| is equal to 0, let - |oldThreshold| be -1. -
- Let |oldPosition| be the value of the |observer|'s internal - {{[[previousGlobalViewportPosition]]}}. -
- If |threshold| does not equal |oldThreshold|, or if |observer|'s - internal {{[[displacementAware]]}} slot is true and - |oldPosition| is not equal to |protectedRect|, -
- queue a VisibilityObserverEntry -
- Assign |visibleRatio| to |observer|'s internal - {{[[previousVisibleRatio]]}} slot. -
- Assign |protectedRect| to the value of the |observer|'s internal - {{[[previousGlobalViewportPosition]]}} slot. -
- Let |threshold| be the index of the first entry in + |observer|'s internal {{[[areaThreshold]]}} slot whose value + is greater than or equal to |visibleRatio|. If + |visibleRatio| is equal to 0, let |threshold| be + -1. +
- Let |oldVisibleRatio| be set to |observer|'s internal + {{[[previousVisibleRatio]]}} slot. +
- Let |oldThreshold| be the index of the first entry in + |observer|'s internal {{[[areaThreshold]]}} slot whose value + is greater than or equal to |oldVisibleRatio|. If + |oldVisibleRatio| is equal to 0, let + |oldThreshold| be -1. +
- Let |oldPosition| be the value of the |observer|'s internal + {{[[previousGlobalViewportPosition]]}}. +
- If |threshold| does not equal |oldThreshold|, or if |observer|'s
+ internal {{[[displacementAware]]}} slot is true and
+ |oldPosition| is not equal to |protectedRect|,
+
-
+
- queue a VisibilityObserverEntry +
- Assign |visibleRatio| to |observer|'s internal + {{[[previousVisibleRatio]]}} slot. +
- Assign |protectedRect| to the value of the |observer|'s internal + {{[[previousGlobalViewportPosition]]}} slot. +
-
-
-
+
Enforce An input-protection Directive
To enforce an input-protection directive for a {{Document}} |document|, - run the following steps: + run the following steps:- Parse the policy according to [[!CSP2]].
- If a value is set for protected-element, let |protectedElement| be the - {{Element}} returned by invoking |document|.{{NonElementParentNode/getElementById()}} with - the value as the input, or |document| if null or unset. + {{Element}} returned by invoking |document|.{{NonElementParentNode/getElementById()}} with + the value as the input, or |document| if null or unset.
- If |document|'s {{[[InputProtectionRequested]]}} flag is false, set it - to true. + to true.
- Construct a new {{VisibilityObserver}} |observer|, with {{[[areaThreshold]]}} set to the value of - area-threshold, {{[[visibleMargin]]}} set to the value of visible-margin, - {{[[observedElement]]}} set to |protectedElement|, {{[[displacementAware]]}} set to true, - and {{[[callback]]}} set to a new function with an empty function body. -
- Set the internal {{[[timeThreshold]]}} slot of |observer| to the value of time-threshold + area-threshold, {{[[visibleMargin]]}} set to the value of visible-margin, + {{[[observedElement]]}} set to |protectedElement|, {{[[displacementAware]]}} set to true, + and {{[[callback]]}} set to a new function with an empty function body. +
- Set the internal {{[[timeThreshold]]}} slot of |observer| to the value of time-threshold
- Set the internal {{[[associatedContentSecurityPolicy]]}} slot of |observer| to a reference to the - Content Security Policy which the input-protection directive is associated with. + Content Security Policy which the input-protection directive is associated with.
- When dispatching events, when an {{Element}} |element| will handle an {{Event}} |event|, - if |event| is of type Mouse Event, Pointer Event, Drag-and-Drop, or Clipboard Event, (TODO:linkify) - and if |element| has {{[[InputProtectionObservers]]}} |observers|: -
- If applicable, check the computed style for the cursor. If a cursor is typically displayed but - has been hidden or changed to a non-standard bitmap, handle a violation for |event| and each - |observer| in |observers|. -
- Otherwise, for each |observer| in |observers|: -
- If |observer|'s {{[[previousVisibleRatio]]}} is less than {{[[areaThreshold]]}}, - handle a violation for |observer|. -
- If |observer|'s {{[[previousVisibleRatio]]}} is greater than {{[[areaThreshold]]}}, - get the most recent {{VisibilityObserverEntry}} |entry| from |observer|'s - {{[[QueuedEntries]]}}. If the difference between |entry|.{{VisibilityObserverEntry/time}} - and |now| is less than {{[[timeThreshold]]}}, handle a violation for |observer|. -
- If applicable, check the computed style for the cursor. If a cursor is typically displayed but + has been hidden or changed to a non-standard bitmap, handle a violation for |event| and each + |observer| in |observers|. +
- Otherwise, for each |observer| in |observers|:
+
-
+
- If |observer|'s {{[[previousVisibleRatio]]}} is less than {{[[areaThreshold]]}}, + handle a violation for |observer|. +
- If |observer|'s {{[[previousVisibleRatio]]}} is greater than {{[[areaThreshold]]}}, + get the most recent {{VisibilityObserverEntry}} |entry| from |observer|'s + {{[[QueuedEntries]]}}. If the difference between |entry|.{{VisibilityObserverEntry/time}} + and |now| is less than {{[[timeThreshold]]}}, handle a violation for |observer|. +
+
-
-
-
-
-
+
Handle a Violation
To handle a violation of an input-protection directive for |observer| and |event|, run the following steps:-
@@ -710,15 +719,14 @@ spec:dom; type:interface; text:Document
- Determine if |policy| is being enforced or monitored. [[!CSP2]]
- If |policy| is being enforced, set |event|'s cancelled flag and stop propagation flag.
- If |policy| is being monitored, set |event|.{{isUnsafe}} to true. -
External Spec Integrations
HTML Processing Model: Event Loop
- As part of substep 10 of the + As part of substep 10 of the - update the rendering event loop in the HTML Processing Model, + update the rendering event loop in the HTML Processing Model, Promote Observed GraphicsLayers, passing in now as the timestamp.DOM: Dispatching Events
@@ -741,25 +749,24 @@ spec:dom; type:interface; text:Document Will be set to true if the event fired when the event did not meet the document's input-protection requirements. - - +Privacy Considerations
-This section is non-normative. + This section is non-normative. The timing of visibilityEvents may leak some information across Origin boundaries. An embedded document might have previously been unable to learn that it was obscured, or the timing and @@ -774,24 +781,24 @@ spec:dom; type:interface; text:DocumentSecurity Considerations
-This section is non-normative. + This section is non-normative. - UI Redressing and Clickjacking attacks rely on violating the contextual and temporal - integrity of embedded content. Because these attacks target the subjective perception - of the user and not well-defined security boundaries, the heuristic protections - afforded by the input-protection directive can never be 100% effective for every - interface. It provides no protection against certain classes of attacks, such as - displaying content around an embedded resource that appears to extend a trusted + UI Redressing and Clickjacking attacks rely on violating the contextual and temporal + integrity of embedded content. Because these attacks target the subjective perception + of the user and not well-defined security boundaries, the heuristic protections + afforded by the input-protection directive can never be 100% effective for every + interface. It provides no protection against certain classes of attacks, such as + displaying content around an embedded resource that appears to extend a trusted dialog but provides misleading information. When used as a mechanism to report visibility for purposes of monetizing content, @@ -805,12 +812,12 @@ spec:dom; type:interface; text:DocumentAccessibility Considerations
@@ -820,6 +827,4 @@ spec:dom; type:interface; text:Document modality is not subject to UI redressing attacks or definitions of "visibility" do not apply, the user agent SHOULD report a VisibilityEvent indicating 100% visibility, and SHOULD never fire a violation for any input-protection policy. - -
-
-
-
User Interface Security and the Visibility API
-W3C Working Draft,
+W3C Working Draft,
- This version: -
- http://www.w3.org/TR/2016/WD-UI Security-1-20160603/
+
- https://www.w3.org/TR/1970/WD-UISecurity-1-19700101/ +
- Latest published version: +
- https://www.w3.org/TR/UISecurity/
- Editor's Draft: -
- https://w3c.github.io/webappsec/specs/uisecurity/
+
- https://w3c.github.io/webappsec-uisecurity/
- Feedback: -
- public-webappsec@w3.org with subject line “[UI Security] … message topic …” (archives) -
- Issue Tracking: -
- Inline In Spec
+
- public-webappsec@w3.org with subject line “[UISecurity] … message topic …” (archives)
- Editor:
- Author: -
- Dan Kaminsky, White Ops
-
- David Lin-Shung Huang, Carnegie Mellon University -
- Giorgio Maone, Invited Expert +
- Dan Kaminsky, White Ops +
- David Lin-Shung Huang, Carnegie Mellon University +
- Giorgio Maone, Invited Expert
- David Lin-Shung Huang, Carnegie Mellon University -
Copyright © 2016 W3C® (MIT, ERCIM, Keio, Beihang). W3C liability, trademark and document use rules apply.
+Copyright © 1970 W3C® (MIT, ERCIM, Keio, Beihang). W3C liability, trademark and document use rules apply.
Abstract
+
Abstract
UI Security and the Visibility API defines both a -declarative and imperative means for resources -displayed in an embedded context to protect -themselves against having their content obscured, -moved, or otherwise displayed in a misleading -manner.
+ declarative and imperative means for resources + displayed in an embedded context to protect + themselves against having their content obscured, + moved, or otherwise displayed in a misleading + manner.Status of this document
This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report - can be found in the W3C technical reports - index at http://www.w3.org/TR/.
-This document was published by the Web Application Security Working Group as a Working Draft. This document is intended to become a W3C Recommendation.
-The (archived) public mailing list public-webappsec@w3.org (see instructions) + can be found in the W3C technical reports + index at https://www.w3.org/TR/.
+This document was published by the Web Application Security Working Group as a Working Draft. This document is intended to become a W3C Recommendation.
+The (archived) public mailing list public-webappsec@w3.org (see instructions) is preferred for discussion of this specification. When sending e-mail, - please put the text “UI Security” in the subject, + please put the text “UISecurity” in the subject, preferably like this: - “[UI Security] …summary of comment…”
+ “[UISecurity] …summary of comment…”Publication as a Working Draft does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.
-This document was produced by the Web Application Security Working Group.
+This document was produced by the Web Application Security Working Group.
This document was produced by a group operating under - the 5 February 2004 W3C Patent Policy. - W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; + the W3C Patent Policy. + W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. - An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.
-This document is governed by the 1 September 2015 W3C Process Document.
+ An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy. +This document is governed by the 15 September 2020 W3C Process Document.
1.
Collectively known as User Interface Redressing, the goal
of such manipulations might be to entice the user to interact
- with embedded content without knowing its context, (e.g. to
+ with embedded content without knowing its context, (e.g. to
send a payment or share content) commonly known as "clickjacking",
or to convince paid content that it is being shown to the user
when it is actually obscured, commonly known in the advertising
business as "display fraud".
Existing anti-clickjacking measures such as frame-busting
- scripts and headers granting origin-based embedding permissions have
+ scripts and headers granting origin-based embedding permissions have
shortcomings which prevent their application to important use-cases.
- Frame-busting scripts, for example, rely on browser behavior that has not been
+ Frame-busting scripts, for example, rely on browser behavior that has not been
engineered to provide a security guarantee and as a consequence,
such scripts may be unreliable if loaded inside a sandbox
- or otherwise disabled. The X-Frame-Options header and the frame-ancestors
+ or otherwise disabled. The X-Frame-Options header and the frame-ancestors
Content Security Policy directive offer an all-or-none approach to
display of embedded content that is not appropriate for content
which may be embedded in arbitrary locations, or known locations
which might still be adversarial.
This document defines mechanisms to allow resources to
request to be displayed free of interference by their embedding context and
- learn if the user agent was able to satisfy such a request, with
+ learn if the user agent was able to satisfy such a request, with
sufficient granularity to make decisions that can protect both users
and content purveyors from various types of fraud.
First, this document defines an imperative API, VisibilityObserver,
@@ -378,7 +451,7 @@
1.
The declarative CSP interface does not offer the same fine-granularity control as
the JavaScript API. Its goal is to allow protection to be
@@ -402,7 +475,7 @@
1. Distinct from the Intersection Observer proposal, this specification operates internally on entire
documents, on a per-iframe basis (although it provides some syntatic sugar for the declarative,
- event-driven API) rather than observing individual elements, and it affirmatively modifies the final
+ event-driven API) rather than observing individual elements, and it affirmatively modifies the final
composited result in the global viewport by promoting the graphics layer of an iframe that has requested visibility.
The declarative CSP interface does not offer the same fine-granularity control as the JavaScript API. Its goal is to allow protection to be @@ -402,7 +475,7 @@