Re: Cross-domain information leak with UI Security Directives

> If so then attacker.com will happily not opt-in and the defense would never
> be enabled :(

yes, and the website in question can switch to other fraud
detection/prevention mechanisms such as a longer flow. For example, it
could open a new window, with a manual delay and ask for a second
click. I envision it being similar to how implementors will support
legacy browsers. We will need a way for code to figure out that all
other principals on the canvas opted-in and UISecurity is enabled.

Thanks
Dev

Received on Tuesday, 11 June 2013 17:00:59 UTC