[whatwg] Clickjacking and CSRF

There have been a number of discussions about clickjacking, 
X-Frame-Options, and other proposals.

Nobody I've spoken to seems especially happy with X-Frame-Options, and 
none of the other proposals have yet gotten serious traction.

I have therefore not added anything of this nature to the HTML5 spec yet. 
I propose that from a standardisation perspective, we continue to wait to 
get more implementation experience and document the end result once we 
are more confident that a long-term solution has been found.

I recommend that people interested in this field work with browser vendors 
to get experimental implementations of their proposals, so that we can 
study their effects on Web content.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Wednesday, 15 July 2009 17:26:19 UTC