[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Michal Zalewski lcamtuf at dione.cc
Sat Sep 27 05:48:56 PDT 2008

On Sat, 27 Sep 2008, Anne van Kesteren wrote:

> Could you list these comprehensive designs perhaps?

I mean, proposals to make it possible for sites to opt in for explicitly 
controlling various cross-domain interactions now permitted by default 
(which includes including scripts, making POST requests, IFRAMEing 
content, etc)... Say:


...(which I do not like for a number of reasons, but that's a separate 
thread), or proposals from OpenAjax, etc; I also seem to recall seeing 
something along these lines proposed by Microsoft. Many of these 
essentially extend the basic mechanisms proposed for cross-domain 


More information about the whatwg mailing list