W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2009

[whatwg] Clickjacking and CSRF

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 16 Jul 2009 13:25:15 -0700
Message-ID: <63df84f0907161325n6509cff1yafd417fd34c82170@mail.gmail.com>
On Wed, Jul 15, 2009 at 6:48 PM, Aryeh Gregor<Simetrical+w3c at gmail.com> wrote:
> On Wed, Jul 15, 2009 at 9:24 PM, Jonas Sicking<jonas at sicking.cc> wrote:
>> Note that Content Security Policies[1] can be used to deal with
>> clickjacking. So far we've gotten a lot of positive feedback to CSP
>> and are in progress of implementing it in firefox. So it's a possible
>> solution to this.
>
> Is Mozilla planning to run CSP through a usual standards body like the
> W3C, either before or after implementation? ?If you plan to
> standardize it after implementation, why not before instead? ?CSP
> looks really exciting, but I'm not clear on whether or when it will be
> standardized -- I've heard talk of implementing it, but not of
> standardizing it.

We've actually proposed it to the webapps list, but got little to no
response. I'm not sure if we at this time have anyone that would have
the resources to offer to be editor for a W3C CSP spec, if any of the
WGs there are interested to host it.

So in short, yes, we'd love to have it standardized, but so far
haven't found a path to make that practically happen.

But, as Mike said, we'd love to get feedback, and we'd love to get it
now. So far most of the feedback we've gotten has been "looks
interesting" which we take as a pretty good sign, but a little lacking
in detail :)

/ Jonas
Received on Thursday, 16 July 2009 13:25:15 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:14 UTC