W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2009

[whatwg] Clickjacking and CSRF

From: Bil Corry <bil@corry.biz>
Date: Fri, 20 Feb 2009 12:36:47 -0600
Message-ID: <499EF83F.90807@corry.biz>
Sigbj?rn Vik wrote on 2/20/2009 8:46 AM: 
> One proposed way of doing this would be a single header, of the form:
> x-cross-domain-options: deny=frame,post,auth; AllowSameOrigin;
> allow=*.opera.com,example.net;
> This incorporates the idea from the IE team, and extends on it.

Have you taken a look at ABE?

	http://hackademix.net/wp-content/uploads/2008/12/abe_rules_03.pdf


> For cross-domain resources, this means that a browser would first have
> to make a request with GET and without authentication tokens to get the
> x-cross-domain-options settings from the resource. If the settings
> allow, a second request may be made, if the second request would be
> different. The result of last request are handed over to the document.

Have you considered using OPTIONS for the pre-flight request, similar to how Access Control for Cross-Site Requests does it?

	http://www.w3.org/TR/access-control/#cross-site2



- Bil
Received on Friday, 20 February 2009 10:36:47 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:09 UTC