W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: XSS mitigation in browsers

From: Daniel Veditz <dveditz@mozilla.com>
Date: Thu, 20 Jan 2011 17:51:16 -0800
Message-ID: <4D38E694.7010801@mozilla.com>
To: Brandon Sterne <bsterne@mozilla.com>
CC: public-web-security@w3.org, Lucas Adamski <ladamski@mozilla.com>
On 1/20/11 1:47 PM, Brandon Sterne wrote:
> I will say, though, that neither CSP frame-ancestors nor X-F-O fully
> address the clickjacking threat.  They are both improvements over
> script-based framebusting, but they only allow sites to prevent their
> framing.  We have no current solutions for sites that want to be framed
> but don't want to be clickjacked [1].  This is an area I would love to
> see this group delve into.

Or maybe the HTML group. Clickjacking is baked into the current
standards and the people most involved in those standards may be
required to compromise on them. For example, one simple-minded
solution might be to dis-allow events targeted at cross-origin
frames that meet some spoofing criteria (small, obscured, nested,
scrolled, etc).

-Dan
Received on Friday, 21 January 2011 01:52:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 21 January 2011 01:52:29 GMT