W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2009

[whatwg] Clickjacking and CSRF

From: Aryeh Gregor <Simetrical+w3c@gmail.com>
Date: Wed, 15 Jul 2009 22:18:26 -0400
Message-ID: <7c2a12e20907151918y5f9966aan3c21b61b2d7e5fbe@mail.gmail.com>
On Wed, Jul 15, 2009 at 9:53 PM, Jeremy Orlow<jorlow at chromium.org> wrote:
> Didn't Ian, 2 messages back, suggest that vendors experiment and bring their
> results back to the table at a later date? ?Or has CSP never been discussed
> here?

I haven't seen it discussed here, but maybe it has been and I didn't
see or don't remember.  Although Ian might not want to consider it for
HTML 5 without vendor agreement, I'd think that a separate working
group could be set up (or an existing one appropriated) to work it out
with input from multiple vendors.  Implement-then-document surely
isn't an ideal procedure for large, complicated things like CSP.
There would be a lot of wasted effort if other vendors decide they
don't like the approach, and Mozilla might be more reluctant to invest
in other solutions after they've put a lot of work into CSP.

I might be overestimating the difficulty of implementing CSP, but the
spec page is more than 6000 words, and it's not even particularly
precise (at least not as precise as HTML 5 is).  X-Frame-Options is
about one paragraph to fully specify, and can't have been too hard to
implement -- vendors making up things like that independently (or
HttpOnly cookies, etc.) is a lot more reasonable.
Received on Wednesday, 15 July 2009 19:18:26 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:14 UTC