- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 24 Jan 2012 20:46:49 +0000 (UTC)
On Wed, 17 Aug 2011, Rob Ennals wrote: > > I'd like to present a proposal for a minimal API that would allow > clickjacking prevention, while still allowing useful cross-domain > iframing such as share buttons etc. > > To allow an iframe to detect clickjacking, the browser would provide > API functions to determine the following: > * The origins of all enclosing documents > * The size of the iframe viewport > * Whether any of the iframe content might be covered by something else > - scrolled into view, and no overlapping rectangles with higher z-order > * It's absolute position in the window > * The complete computed style applied to the iframe (e.g. is it zoomed > or transparent) > * Receive an event whenever any of these change > * Any other information I've forgotten that might indicate clickjacking Why not just have the user agent provide a single boolean isClickJacked? I mean, there's no reason the browser wouldn't be able to do the same work that a library could, is there? On Thu, 18 Aug 2011, Rob Ennals wrote: > On Thu, Aug 18, 2011 at 1:53 AM, Anne van Kesteren <annevk at opera.com> wrote: > > > > APIs fail with <iframe sandbox>. > > I don't think sandbox would be a problem. If scripts are disabled with > <iframe sandbox> then the page wouldn't run the script that turns > everything on. Do we really want to say that pages should only work with JS enabled? It's not clear to me why X-Frame-Options doesn't solve the problem here. Why would a sensitive site allow itself to be framed by non-same-origin pages anyway? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 24 January 2012 12:46:49 UTC