- From: Giorgio Maone <g.maone@informaction.com>
- Date: Fri, 21 Jan 2011 08:32:24 +0100
- To: Michal Zalewski <lcamtuf@coredump.cx>
- CC: Daniel Veditz <dveditz@mozilla.com>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org, Lucas Adamski <ladamski@mozilla.com>
Michal Zalewski wrote, On 21/01/2011 3.06: >> Or maybe the HTML group. Clickjacking is baked into the current >> standards and the people most involved in those standards may be >> required to compromise on them. For example, one simple-minded >> solution might be to dis-allow events targeted at cross-origin >> frames that meet some spoofing criteria (small, obscured, nested, >> scrolled, etc). > I proposed this several years ago, before all the public attention > clickjacking managed to get: > > http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-September/016327.html > > ...but the response to any solutions that require any UI logic was > overwhelmingly negative. Well, just a few days later a quite similar concept was implemented and successfully shipped: http://hackademix.net/2008/10/08/hello-clearclick-goodbye-clickjacking/ -- G
Received on Friday, 21 January 2011 07:38:38 UTC