W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2009

[whatwg] Clickjacking and CSRF

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 15 Jul 2009 18:24:44 -0700
Message-ID: <63df84f0907151824u2e86f235k8ddb13fd3826c993@mail.gmail.com>
On Wed, Jul 15, 2009 at 5:26 PM, Ian Hickson<ian at hixie.ch> wrote:
>
> There have been a number of discussions about clickjacking,
> X-Frame-Options, and other proposals.
>
> Nobody I've spoken to seems especially happy with X-Frame-Options, and
> none of the other proposals have yet gotten serious traction.
>
> I have therefore not added anything of this nature to the HTML5 spec yet.
> I propose that from a standardisation perspective, we continue to wait to
> get more implementation experience and document the end result once we
> are more confident that a long-term solution has been found.
>
> I recommend that people interested in this field work with browser vendors
> to get experimental implementations of their proposals, so that we can
> study their effects on Web content.

Note that Content Security Policies[1] can be used to deal with
clickjacking. So far we've gotten a lot of positive feedback to CSP
and are in progress of implementing it in firefox. So it's a possible
solution to this.

/ Jonas

[1] http://blog.mozilla.com/security/2009/06/19/shutting-down-xss-with-content-security-policy/
Received on Wednesday, 15 July 2009 18:24:44 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:14 UTC