[whatwg] Clickjacking and CSRF
Bil Corry
bil at corry.biz
Fri Feb 20 10:36:47 PST 2009
Sigbjørn Vik wrote on 2/20/2009 8:46 AM:
> One proposed way of doing this would be a single header, of the form:
> x-cross-domain-options: deny=frame,post,auth; AllowSameOrigin;
> allow=*.opera.com,example.net;
> This incorporates the idea from the IE team, and extends on it.
Have you taken a look at ABE?
http://hackademix.net/wp-content/uploads/2008/12/abe_rules_03.pdf
> For cross-domain resources, this means that a browser would first have
> to make a request with GET and without authentication tokens to get the
> x-cross-domain-options settings from the resource. If the settings
> allow, a second request may be made, if the second request would be
> different. The result of last request are handed over to the document.
Have you considered using OPTIONS for the pre-flight request, similar to how Access Control for Cross-Site Requests does it?
http://www.w3.org/TR/access-control/#cross-site2
- Bil
More information about the whatwg
mailing list