W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2012

Re: [webappsec] straw man anti-clickjacking proposal

From: Giorgio Maone <g.maone@informaction.com>
Date: Tue, 28 Feb 2012 11:49:12 +0100
Message-ID: <4F4CB128.8010102@informaction.com>
To: David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
CC: Michal Zalewski <lcamtuf@coredump.cx>, "Hill, Brad" <bhill@paypal-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 28/02/2012 11:30, David Lin-Shung Huang wrote:

> I assumed that ClearClick intends to detect any visible obstruction on
> the clicked frame

It does, indeed.

My fault, I misinterpreted the aim of the "attack" as a clickthrough
one, rather than a clipping-around one (like the div-based PoC just above).

> That said, it should be possible to detect or avoid this from the
> browser (e.g. taking OS screenshots for comparison).

Yes, it is possible. In fact, I'm probably gonna file a bug report on
the CanvasContext2d.drawWindow() Gecko API to see if it's possible to
take in account this case, and anyway introduce a work-around in next
ClearClick version.

-- G
Received on Tuesday, 28 February 2012 10:49:45 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:26 UTC