- From: Ian Chan <chanian@twitter.com>
- Date: Thu, 14 Jul 2011 18:24:43 -0700
- To: public-web-perf@w3.org
- Message-ID: <CANHhSSn838ddeODX+nRbH86rV8TDUxKXHmf8d9QTbiHTQAntNQ@mail.gmail.com>
Greetings, and great work on the updates to the spec! I recently came across the updates for: http://w3c-test.org/webperf/specs/PageVisibility/ and had a quick question/comment. This change has the potential to solve an existing and long standing browser security issues. Specifically, I suggest it as a potential solution to clickjacking and malicious UI redressing. If these changes could apply to the nested browser context, and additionally include (or somehow reference) the contextual opacity of the document, this change could be used to prevent clickjacking attacks which exist commonly on Iframed 3rd party widgets. I understand that x-frame-options is an existing solution, but does not always protect against all iframe scenarios. Using either the document attributes or binding events to the state changes, developers would be able to know when their application is operating within a hidden/compromised context. Apologize if this request/comment goes beyond the scope of this change, but I wanted to ask if this has been considered. Thank you, -- *Ian Chan* chanian@twitter.com @chanian
Received on Saturday, 16 July 2011 20:15:26 UTC