- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Tue, 7 Jun 2011 09:36:01 -0700
- To: sird@rckc.at
- Cc: public-web-security@w3.org
> <style> > #buyButton:hover{ > visibility: forced;/* or something else, I don't know.. */ > } > </style> > <button id="buyButton">Click here to purchase server for $500.00.</button> I see two potential problems here: 1) What do you do when you have two overlapping "always on top" elements? You can only render one. 2) What if the button is visible (and therefore interactive), but only for a very short period of time before a premeditated click (not enough to give the user a chance to respond)? In general, I had the impression that vendors were very unhappy about implementing any solutions to clickjacking that would involve determining the actual on-screen visibility of a rendered element, because that can be complicated in some settings (my proposal in 2008 was shot down on these grounds). /mz
Received on Tuesday, 7 June 2011 16:36:58 UTC