- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Thu, 20 Jan 2011 17:51:16 -0800
- To: Brandon Sterne <bsterne@mozilla.com>
- CC: public-web-security@w3.org, Lucas Adamski <ladamski@mozilla.com>
On 1/20/11 1:47 PM, Brandon Sterne wrote: > I will say, though, that neither CSP frame-ancestors nor X-F-O fully > address the clickjacking threat. They are both improvements over > script-based framebusting, but they only allow sites to prevent their > framing. We have no current solutions for sites that want to be framed > but don't want to be clickjacked [1]. This is an area I would love to > see this group delve into. Or maybe the HTML group. Clickjacking is baked into the current standards and the people most involved in those standards may be required to compromise on them. For example, one simple-minded solution might be to dis-allow events targeted at cross-origin frames that meet some spoofing criteria (small, obscured, nested, scrolled, etc). -Dan
Received on Friday, 21 January 2011 01:52:28 UTC