[whatwg] Clickjacking and CSRF

Aryeh Gregor Simetrical+w3c at gmail.com
Wed Jul 15 19:18:26 PDT 2009


On Wed, Jul 15, 2009 at 9:53 PM, Jeremy Orlow<jorlow at chromium.org> wrote:
> Didn't Ian, 2 messages back, suggest that vendors experiment and bring their
> results back to the table at a later date?  Or has CSP never been discussed
> here?

I haven't seen it discussed here, but maybe it has been and I didn't
see or don't remember.  Although Ian might not want to consider it for
HTML 5 without vendor agreement, I'd think that a separate working
group could be set up (or an existing one appropriated) to work it out
with input from multiple vendors.  Implement-then-document surely
isn't an ideal procedure for large, complicated things like CSP.
There would be a lot of wasted effort if other vendors decide they
don't like the approach, and Mozilla might be more reluctant to invest
in other solutions after they've put a lot of work into CSP.

I might be overestimating the difficulty of implementing CSP, but the
spec page is more than 6000 words, and it's not even particularly
precise (at least not as precise as HTML 5 is).  X-Frame-Options is
about one paragraph to fully specify, and can't have been too hard to
implement -- vendors making up things like that independently (or
HttpOnly cookies, etc.) is a lot more reasonable.


More information about the whatwg mailing list