W3C home > Mailing lists > Public > public-device-apis@w3.org > October 2010

Re: Clickjacking (was: window.open() and popup blockers)

From: Robin Berjon <robin@robineko.com>
Date: Thu, 7 Oct 2010 16:37:17 +0200
Cc: "public-device-apis@w3.org WG" <public-device-apis@w3.org>
Message-Id: <A5036941-351F-4734-836A-2B63BCD9EC5A@robineko.com>
To: Anssi Kostiainen <anssi.kostiainen@nokia.com>
On Oct 7, 2010, at 10:03 , Anssi Kostiainen wrote:
> I'm happy to review the proposal. Clickjacking attacks use iframes to hijack user's session. How about simply preventing API invocation via DOM events within an iframe? Would that be too drastic a measure?

I think it would be. It would prevent embedded "widgets" from doing anything with these APIs, which is a severe limitation I'd think.

--
Robin Berjon
  robineko  hired gun, higher standards
  http://robineko.com/
Received on Thursday, 7 October 2010 14:37:45 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:32:23 UTC