[whatwg] Clickjacking and CSRF

Bil Corry bil at corry.biz
Fri Feb 20 10:36:47 PST 2009

Sigbjørn Vik wrote on 2/20/2009 8:46 AM: 
> One proposed way of doing this would be a single header, of the form:
> x-cross-domain-options: deny=frame,post,auth; AllowSameOrigin;
> allow=*.opera.com,example.net;
> This incorporates the idea from the IE team, and extends on it.

Have you taken a look at ABE?


> For cross-domain resources, this means that a browser would first have
> to make a request with GET and without authentication tokens to get the
> x-cross-domain-options settings from the resource. If the settings
> allow, a second request may be made, if the second request would be
> different. The result of last request are handed over to the document.

Have you considered using OPTIONS for the pre-flight request, similar to how Access Control for Cross-Site Requests does it?


- Bil

More information about the whatwg mailing list