W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Req for feedback? Add attribute to elements to defeat clickjacking

From: Eduardo Vela <sirdarckcat@gmail.com>
Date: Tue, 7 Jun 2011 11:20:14 -0500
Message-ID: <BANLkTi=f8zykda-x2Rnk-EgH7QG-O3A-eA@mail.gmail.com>
To: public-web-security@w3.org
Hi!

One of the most complicated problems we have now a days is that there
are some widgets which are specifically designed to be iframed (ads,
games, like buttons, etc..) are difficult to protect against
clickjacking.

So, there's this idea that might solve some of those problems.

Let's say we add an attribute (or CSS property) that will instruct the
browser that when hovered, they should appear over everything that
might be over them, and make it's opacity opaque.

So something like:

<style>
#buyButton:hover{
    visibility: forced;/* or something else, I don't know.. */
}
</style>
<button id="buyButton">Click here to purchase server for $500.00.</button>


Will make the buy button visible no matter if there are things over it
(in other windows).

There are some restrictions that should be made for this to be effective:
1. This property should only work on hover, or active elements (eg.
with the mouse over, or selected by <tab>).
2. If this is inside an iframe, then it shouldn't obscure anything
outside of the frame window (so, if there's a 1x1 frame, the button
will still be invisible).
3. If part of the element is outside of the window (eg.
top:-200;left:-200), it shouldn't obscure chrome UI (like the
addressbar or so).

To mitigate against attacks abusing (2) or (3) if the "forced
visibility" fails, then mouse click events to that object could be
disabled, but even if nothing is done it would be ok, since the frame
can detect it's size and position (so it would know that the click
might be invalid).

I was wondering if you can find any other (abuse) cases for this
feature, or if you have any thoughts. Or if there might be other
(better) solutions for this problem.

Greetings!!

-- Eduardo
Received on Tuesday, 7 June 2011 16:21:01 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC