Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Trusted UI principle with Chromium's spoofing and clickjacking guidance #548

Open
jyasskin opened this issue Jan 13, 2025 · 1 comment
Open

Update Trusted UI principle with Chromium's spoofing and clickjacking guidance #548

jyasskin opened this issue Jan 13, 2025 · 1 comment
Assignees
@jyasskin

Comments

@jyasskin
Copy link
Contributor

Chromium has a document of guidance for preserving trustworthy UI, much of which looks relevant to our Trusted UI principle. In particular:

  • Prefer negative security indicators to positive or neutral ones <- so there's less incentive to spoof them.
  • Avoid mixing trustworthy with untrustworthy content <- so usually don't let sites provide explanation strings
  • Browser UI that requires multiple clicks can be good for security <- most of the clickjacking advice is browser UI that's outside the scope of web standards, but this part is another argument that choosers are better than yes/no decisions.

There may be other bits that I've missed on this read-through. If you see some, please point them out or send a PR. I'll try to send a PR for the above.
@jyasskin jyasskin self-assigned this Jan 13, 2025
@jyasskin
Copy link
Contributor Author

@simoneonofri This seems like a good topic for the Security IG. I'm encouraging Chrome's UX researchers to bring you some data to inform that discussion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jyasskin jyasskin

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jyasskin