W3C home > Mailing lists > Public > public-web-perf@w3.org > July 2011

PageVisibility - Top level browsing context vs. Nested browsing context and clickjacking

From: Ian Chan <chanian@twitter.com>
Date: Thu, 14 Jul 2011 18:24:43 -0700
Message-ID: <CANHhSSn838ddeODX+nRbH86rV8TDUxKXHmf8d9QTbiHTQAntNQ@mail.gmail.com>
To: public-web-perf@w3.org
Greetings, and great work on the updates to the spec!
I recently came across the updates for:
http://w3c-test.org/webperf/specs/PageVisibility/ and had a quick
question/comment.

This change has the potential to solve an existing and long standing browser
security issues. Specifically, I suggest it as a potential solution to
clickjacking and malicious UI redressing. If these changes could apply to
the nested browser context, and additionally include (or somehow reference)
the contextual opacity of the document, this change could be used to prevent
clickjacking attacks which exist commonly on Iframed 3rd party widgets. I
understand that x-frame-options is an existing solution, but does not always
protect against all iframe scenarios. Using either the document attributes
or binding events to the state changes, developers would be able to know
when their application is operating within a hidden/compromised context.

Apologize if this request/comment goes beyond the scope of this change, but
I wanted to ask if this has been considered.

Thank you,

-- 
*Ian Chan*
chanian@twitter.com
@chanian
Received on Saturday, 16 July 2011 20:15:26 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:04:31 UTC