- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Tue, 11 Jun 2013 10:00:11 -0700
- To: David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
- Cc: Peleus Uhley <puhley@adobe.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> If so then attacker.com will happily not opt-in and the defense would never > be enabled :( yes, and the website in question can switch to other fraud detection/prevention mechanisms such as a longer flow. For example, it could open a new window, with a manual delay and ask for a second click. I envision it being similar to how implementors will support legacy browsers. We will need a way for code to figure out that all other principals on the canvas opted-in and UISecurity is enabled. Thanks Dev
Received on Tuesday, 11 June 2013 17:00:59 UTC