W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2011

[whatwg] Allowing Clickjacking Prevention using a Minimal Javascript API

From: Rob Ennals <rje@google.com>
Date: Thu, 18 Aug 2011 08:49:35 -0700
Message-ID: <CAJsGU-qhpsCTHsznnncBoXvAi=Ek4ookFC2hfQAFKOvec9Ty5A@mail.gmail.com>
On Thu, Aug 18, 2011 at 1:53 AM, Anne van Kesteren <annevk at opera.com> wrote:
> On Thu, 18 Aug 2011 00:51:39 +0200, Rob Ennals <rje at google.com> wrote:
>>
>> Thoughts?
>
> APIs fail with <iframe sandbox>.

I don't think sandbox would be a problem. If scripts are disabled with
<iframe sandbox> then the page wouldn't run the script that turns
everything on.

Similarly, if the browser doesn't support the extra APIs, then the
script would know that it didn't have clickjacking protection, and
would enter a more conservative mode - e.g. opening a new window to do
particularly sensitive operations.

>
>
> --
> Anne van Kesteren
> http://annevankesteren.nl/
>
Received on Thursday, 18 August 2011 08:49:35 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:35 UTC