Re: [html5] Sandbox disables clickjacking protection from Ian Hickson on 2011-08-02 (public-html-comments@w3.org from August 2011)

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 2 Aug 2011 21:46:16 +0000 (UTC)
To: Philippe De Ryck <philippe.deryck@cs.kuleuven.be>
cc: public-html-comments@w3.org
Message-ID: <Pine.LNX.4.64.1108021905360.18680@ps20323.dreamhostps.com>

On Tue, 2 Aug 2011, Philippe De Ryck wrote:
> 
> Add the following warning to section 4.8.2 (the iframe element) of the 
> specification: Unwanted sandboxing of legitimate content can disable 
> javascript-based clickjacking protection mechanisms. To prevent such 
> attacks, legitimate content should provde adequate clickjacking 
> protection [1].
> 
> [1] Busting frame busting: a study of clickjacking vulnerabilities at 
> popular sites. Gustav Rydstedt, Elie Bursztein, Dan Boneh, and Collin 
> Jackson in IEEE Oakland Web 2.0 Security and Privacy (W2SP 2010)

I've added a warning to this effect in the introduction, along with some 
other security advice.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Tuesday, 2 August 2011 21:46:39 UTC