[whatwg] Clickjacking and CSRF
bil at corry.biz
Fri Feb 20 10:36:47 PST 2009
Sigbjørn Vik wrote on 2/20/2009 8:46 AM:
> One proposed way of doing this would be a single header, of the form:
> x-cross-domain-options: deny=frame,post,auth; AllowSameOrigin;
> This incorporates the idea from the IE team, and extends on it.
Have you taken a look at ABE?
> For cross-domain resources, this means that a browser would first have
> to make a request with GET and without authentication tokens to get the
> x-cross-domain-options settings from the resource. If the settings
> allow, a second request may be made, if the second request would be
> different. The result of last request are handed over to the document.
Have you considered using OPTIONS for the pre-flight request, similar to how Access Control for Cross-Site Requests does it?
More information about the whatwg