Re: XSS mitigation in browsers from gaz Heyes on 2011-01-21 (public-web-security@w3.org from January 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Fri, 21 Jan 2011 09:25:28 +0000
To: Giorgio Maone <g.maone@informaction.com>
Cc: Michal Zalewski <lcamtuf@coredump.cx>, Daniel Veditz <dveditz@mozilla.com>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org, Lucas Adamski <ladamski@mozilla.com>
Message-ID: <AANLkTikbgTDwhfBW9TFo-HCvWme7HtiwwKE42_6Xs-0Q@mail.gmail.com>

On 21 January 2011 07:32, Giorgio Maone <g.maone@informaction.com> wrote:

> overwhelmingly negative.
>>
> ...but the response to any solutions that require any UI logic was
> Well, just a few days later a quite similar concept was implemented and
> successfully shipped:
>
> http://hackademix.net/2008/10/08/hello-clearclick-goodbye-clickjacking/

Clear click is great it prevents clickjacking very well and gives a clear
indicator to override and allow. </endorsement>

To prevent "like" buttons being used without a users knowledge they really
need to become part of the browser UI or external content needs to be
highlighted in such a way it's clear to the user, e.g. a iframe shouldn't be
able to be styled in such a way that it's dimensions are too small and
elements should not overlay it. The iframe itself needs to be clear where
it's coming from, I've mocked up a way to highlight a iframes domain:-

<http://www.businessinfo.co.uk/labs/test_files/iframe-indicator.png>

So when some content is intended to be included a web site the
X-Frame-Options:Allow, then the iframe indicator shows and prevents the
iframe from being resized to very small dimensions and it should always
appear on top of any content and within the screen area.

Received on Friday, 21 January 2011 09:26:01 UTC