W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: XSS mitigation in browsers

From: Giorgio Maone <g.maone@informaction.com>
Date: Fri, 21 Jan 2011 08:32:24 +0100
Message-ID: <4D393688.9090507@informaction.com>
To: Michal Zalewski <lcamtuf@coredump.cx>
CC: Daniel Veditz <dveditz@mozilla.com>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org, Lucas Adamski <ladamski@mozilla.com>
Michal Zalewski wrote, On 21/01/2011 3.06:
>> Or maybe the HTML group. Clickjacking is baked into the current
>> standards and the people most involved in those standards may be
>> required to compromise on them. For example, one simple-minded
>> solution might be to dis-allow events targeted at cross-origin
>> frames that meet some spoofing criteria (small, obscured, nested,
>> scrolled, etc).
> I proposed this several years ago, before all the public attention
> clickjacking managed to get:
>
> http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-September/016327.html
>
> ...but the response to any solutions that require any UI logic was
> overwhelmingly negative.
Well, just a few days later a quite similar concept was implemented and 
successfully shipped:

http://hackademix.net/2008/10/08/hello-clearclick-goodbye-clickjacking/

-- G
Received on Friday, 21 January 2011 07:38:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 21 January 2011 07:38:39 GMT