W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: XSS mitigation in browsers

From: Giorgio Maone <g.maone@informaction.com>
Date: Fri, 21 Jan 2011 08:32:24 +0100
Message-ID: <4D393688.9090507@informaction.com>
To: Michal Zalewski <lcamtuf@coredump.cx>
CC: Daniel Veditz <dveditz@mozilla.com>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org, Lucas Adamski <ladamski@mozilla.com>
Michal Zalewski wrote, On 21/01/2011 3.06:
>> Or maybe the HTML group. Clickjacking is baked into the current
>> standards and the people most involved in those standards may be
>> required to compromise on them. For example, one simple-minded
>> solution might be to dis-allow events targeted at cross-origin
>> frames that meet some spoofing criteria (small, obscured, nested,
>> scrolled, etc).
> I proposed this several years ago, before all the public attention
> clickjacking managed to get:
> http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-September/016327.html
> ...but the response to any solutions that require any UI logic was
> overwhelmingly negative.
Well, just a few days later a quite similar concept was implemented and 
successfully shipped:


-- G
Received on Friday, 21 January 2011 07:38:38 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:18 UTC