[whatwg] Clickjacking and CSRF

On Wed, Jul 15, 2009 at 5:26 PM, Ian Hickson<ian at hixie.ch> wrote:
>
> There have been a number of discussions about clickjacking,
> X-Frame-Options, and other proposals.
>
> Nobody I've spoken to seems especially happy with X-Frame-Options, and
> none of the other proposals have yet gotten serious traction.
>
> I have therefore not added anything of this nature to the HTML5 spec yet.
> I propose that from a standardisation perspective, we continue to wait to
> get more implementation experience and document the end result once we
> are more confident that a long-term solution has been found.
>
> I recommend that people interested in this field work with browser vendors
> to get experimental implementations of their proposals, so that we can
> study their effects on Web content.

Note that Content Security Policies[1] can be used to deal with
clickjacking. So far we've gotten a lot of positive feedback to CSP
and are in progress of implementing it in firefox. So it's a possible
solution to this.

/ Jonas

[1] http://blog.mozilla.com/security/2009/06/19/shutting-down-xss-with-content-security-policy/

Received on Wednesday, 15 July 2009 18:24:44 UTC