[whatwg] Clickjacking and CSRF

Sigbjørn Vik sigbjorn at opera.com
Mon Feb 23 07:44:20 PST 2009

On Mon, 23 Feb 2009 14:23:40 +0100, Giorgio Maone <g.maone at informaction.com> wrote:

>> On Fri, 20 Feb 2009 19:36:47 +0100, Bil Corry <bil at corry.biz> wrote:
>>> Sigbjørn Vik wrote on 2/20/2009 8:46 AM:
>>>> One proposed way of doing this would be a single header, of the form:
>>>> x-cross-domain-options: deny=frame,post,auth; AllowSameOrigin;
>>>> allow=*.opera.com,example.net;
>>>> This incorporates the idea from the IE team, and extends on it.
>>> Have you taken a look at ABE?
>>>     http://hackademix.net/wp-content/uploads/2008/12/abe_rules_03.pdf
>> I am not quite certain what you are referring to, the document is a
>> ruleset for how to express what is allowed and disallowed. Do you mean
>> that clients should be using a URL list, or that servers should be
>> using this particular grammar to decide which headers to send with
>> their URLs?
>> For a domain wide policy file a document like this might work well
>> though.
> ABE is meant to be configured in 3 ways:
>    1. With user-provided rules, deployed directly client-side
>    2. With community-provided rules, downloaded periodically from a
>       trusted repository
>    3. As a site-wide policy deployed on the server side in a single
>       file, much like crossdomain.xml
> See http://hackademix.net/2008/12/20/introducing-abe/ and especially
> this http://hackademix.net/2008/12/20/introducing-abe/#comment-10165
> comment about site-provided rules and merging.

Yes, a domain wide policy file might be good to have, but it could not entirely replace having a header settable for a single resource, not all web authors have access to the root, so it would have to come as an addition, an optional replace.

If a domain wide policy file is used, it would make sense to have it in a format which can be distributed and applied locally, so users can patch web sites that don't do it themselves. ABE looks like a good candidate for all of this. A good candidate might also have to be implementable by the server, so that a server can look at the policy file, and determine which headers to send for any particular resource, including which resources to send no headers for at all. Presumably ABE would work for that too.

Sigbjørn Vik
Quality Assurance
Opera Software

More information about the whatwg mailing list