- From: Peleus Uhley <puhley@adobe.com>
- Date: Fri, 30 Mar 2012 02:59:20 -0700
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
I searched through Adobe's internal documentation, David Lin-Shung Huang's upcoming paper and existing public information to create a summary of clickjacking threats and possible solutions. This document is not trying to dictate the final design. It is more about capturing ideas and recording known risks. We can compare any proposed anti-clickjacking spec against each of the identified threats to measure its effectiveness. The possible solutions that are listed are primarily there to inspire different ideas on how to address the threats. This document is currently a rough draft that we can build upon as we move forward with the anti-clickjacking design spec. In some ways, the clickjacking threats page covers ideas already expressed in the requirements document in a more verbose format. My idea is that we can use the clickjacking threats page to record all the threats and ideas. The anti-clickjacking requirements document will only list those items that have been agreed upon to be requirements of the final spec. The requirements document can also refer back to the threats page in order to avoid explaining each threat in detail. Overall, I am just trying to move the conversation one step forward by getting more information recorded in a centralized location. Here is the link to the new clickjacking threats page: http://www.w3.org/Security/wiki/Clickjacking_Threats. I also added this link to the attack cases section of the original anti-clickjacking requirements document ( http://www.w3.org/Security/wiki/Anti-Clickjacking_Requirements ). Let me know if you have any questions or feedback. Thanks, -Peleus -- Peleus Uhley Platform Security Strategist Adobe Systems, Inc.
Received on Friday, 30 March 2012 10:02:41 UTC