W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: Req for feedback? Add attribute to elements to defeat clickjacking

From: Giorgio Maone <g.maone@informaction.com>
Date: Tue, 07 Jun 2011 19:28:35 +0200
Message-ID: <4DEE5FC3.2010809@informaction.com>
To: "sird@rckc.at" <sird@rckc.at>
CC: Michal Zalewski <lcamtuf@coredump.cx>, public-web-security@w3.org
sird@rckc.at wrote, On 07/06/2011 19.15:
> Minimum visibility you mean that unless the marked element is not
> completely visible, then it shouldn't be clickable?
> 
> -- Eduardo

BTW, that's exactly what ClearClick enforces (it actually checks for keyboard
events too, so "shouldn't be interactive" with a warning and an option to
unlock):
http://noscript.net/faq#clearclick

-- G



> 
> 
> On Tue, Jun 7, 2011 at 11:56 AM, Michal Zalewski <lcamtuf@coredump.cx> wrote:
>>>> 2) What if the button is visible (and therefore interactive), but only
>>>> for a very short period of time before a premeditated click (not
>>>> enough to give the user a chance to respond)?
>>> This is something the host page could detect right? How long the mouse
>>> is hovered over.
>>
>> And for that part - sort of, though not very easily (there are many
>> odd corner cases, plus considerations with accessibility technologies
>> or keyboard browsing).
>>
>> But most importantly, it's ugly, like framebusting or referrer
>> clicking. Browser-enforced minimum visibility would probably be a
>> useful part of a proposal like that. But that brings us pretty close
>> to the original whatwg discussion ;-)
>>
>> /mz
>>
> 
Received on Tuesday, 7 June 2011 17:29:03 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC