W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: XSS mitigation in browsers

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Thu, 20 Jan 2011 18:06:51 -0800
Message-ID: <AANLkTini=E-zfA-at9i_a-hDhBJeJjC_OgidzDBrq6VJ@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org, Lucas Adamski <ladamski@mozilla.com>
> Or maybe the HTML group. Clickjacking is baked into the current
> standards and the people most involved in those standards may be
> required to compromise on them. For example, one simple-minded
> solution might be to dis-allow events targeted at cross-origin
> frames that meet some spoofing criteria (small, obscured, nested,
> scrolled, etc).

I proposed this several years ago, before all the public attention
clickjacking managed to get:

http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-September/016327.html

...but the response to any solutions that require any UI logic was
overwhelmingly negative.

/mz
Received on Friday, 21 January 2011 02:07:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 21 January 2011 02:07:45 GMT