W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: Req for feedback? Add attribute to elements to defeat clickjacking

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Tue, 7 Jun 2011 09:36:01 -0700
Message-ID: <BANLkTinaoOwVU7cwubSZeO1xUovUq1hMPA@mail.gmail.com>
To: sird@rckc.at
Cc: public-web-security@w3.org
> <style>
> #buyButton:hover{
>    visibility: forced;/* or something else, I don't know.. */
> }
> </style>
> <button id="buyButton">Click here to purchase server for $500.00.</button>

I see two potential problems here:

1) What do you do when you have two overlapping "always on top"
elements? You can only render one.

2) What if the button is visible (and therefore interactive), but only
for a very short period of time before a premeditated click (not
enough to give the user a chance to respond)?

In general, I had the impression that vendors were very unhappy about
implementing any solutions to clickjacking that would involve
determining the actual on-screen visibility of a rendered element,
because that can be complicated in some settings (my proposal in 2008
was shot down on these grounds).

/mz
Received on Tuesday, 7 June 2011 16:36:58 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC