- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 15 Jul 2009 18:24:44 -0700
On Wed, Jul 15, 2009 at 5:26 PM, Ian Hickson<ian at hixie.ch> wrote: > > There have been a number of discussions about clickjacking, > X-Frame-Options, and other proposals. > > Nobody I've spoken to seems especially happy with X-Frame-Options, and > none of the other proposals have yet gotten serious traction. > > I have therefore not added anything of this nature to the HTML5 spec yet. > I propose that from a standardisation perspective, we continue to wait to > get more implementation experience and document the end result once we > are more confident that a long-term solution has been found. > > I recommend that people interested in this field work with browser vendors > to get experimental implementations of their proposals, so that we can > study their effects on Web content. Note that Content Security Policies[1] can be used to deal with clickjacking. So far we've gotten a lot of positive feedback to CSP and are in progress of implementing it in firefox. So it's a possible solution to this. / Jonas [1] http://blog.mozilla.com/security/2009/06/19/shutting-down-xss-with-content-security-policy/
Received on Wednesday, 15 July 2009 18:24:44 UTC