W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: Req for feedback? Add attribute to elements to defeat clickjacking

From: <sird@rckc.at>
Date: Tue, 7 Jun 2011 12:15:18 -0500
Message-ID: <BANLkTikysg-=2dmSwdGVbnnfWi1q2pvgnQ@mail.gmail.com>
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: public-web-security@w3.org
Minimum visibility you mean that unless the marked element is not
completely visible, then it shouldn't be clickable?

-- Eduardo




On Tue, Jun 7, 2011 at 11:56 AM, Michal Zalewski <lcamtuf@coredump.cx> wrote:
>>> 2) What if the button is visible (and therefore interactive), but only
>>> for a very short period of time before a premeditated click (not
>>> enough to give the user a chance to respond)?
>> This is something the host page could detect right? How long the mouse
>> is hovered over.
>
> And for that part - sort of, though not very easily (there are many
> odd corner cases, plus considerations with accessibility technologies
> or keyboard browsing).
>
> But most importantly, it's ugly, like framebusting or referrer
> clicking. Browser-enforced minimum visibility would probably be a
> useful part of a proposal like that. But that brings us pretty close
> to the original whatwg discussion ;-)
>
> /mz
>
Received on Tuesday, 7 June 2011 17:16:05 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC