W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2009

[whatwg] Clickjacking and CSRF

From: Sigbjørn Vik <sigbjorn@opera.com>
Date: Fri, 20 Feb 2009 16:22:39 +0100
Message-ID: <op.upnoz1vx41y844@id-c0735.oslo.opera.com>
On Fri, 20 Feb 2009 16:00:09 +0100, Giorgio Maone <g.maone at informaction.com> wrote:

> Sigbj?rn Vik wrote, On 20/02/2009 15.46:
>> There is currently little protection against clickjacking, the  
>> x-frame-options is the first attempt.
> Nope, it's the second and weakest:
> http://hackademix.net/2008/10/08/hello-clearclick-goodbye-clickjacking/
> http://noscript.net/faq#clearclick

I stand corrected. I was thinking too narrow-mindedly, from a browser vendor perspective. Frame busting is another existing alternative.

-- 
Sigbj?rn Vik
Quality Assurance
Opera Software
Received on Friday, 20 February 2009 07:22:39 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:09 UTC