[whatwg] Dealing with UI redress vulnerabilities inherent to the current web
Michal Zalewski
lcamtuf at dione.cc
Sat Sep 27 05:48:56 PDT 2008
On Sat, 27 Sep 2008, Anne van Kesteren wrote:
> Could you list these comprehensive designs perhaps?
I mean, proposals to make it possible for sites to opt in for explicitly
controlling various cross-domain interactions now permitted by default
(which includes including scripts, making POST requests, IFRAMEing
content, etc)... Say:
http://people.mozilla.org/~bsterne/content-security-policy/
...(which I do not like for a number of reasons, but that's a separate
thread), or proposals from OpenAjax, etc; I also seem to recall seeing
something along these lines proposed by Microsoft. Many of these
essentially extend the basic mechanisms proposed for cross-domain
XMLHttpRequest.
/mz
More information about the whatwg
mailing list