[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Giorgio Maone g.maone at informaction.com
Wed Feb 18 12:38:43 PST 2009


Bil Corry wrote, On 18/02/2009 21.31:
> Boris Zbarsky wrote on 2/18/2009 9:27 AM: 
>   
>> And really no different from:
>>
>>   <script>
>>     if (window != window.top)
>>       window.top.location.href = window.location.href;
>>   </script>
>>
>> in effect, right?  This last already works in all browsers except IE,
>> which is presumably why IE felt the need to add another way to do it.
>>     
>
> Supposedly, a future release of IE8 will fix this (see Issue #4):
>
> 	http://ha.ckers.org/blog/20081007/clickjacking-details/
>   
I doubt we'll see a "fix" for <iframe security=restricted> ;)
-- G
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20090218/ce10f48c/attachment-0001.htm>


More information about the whatwg mailing list