[whatwg] Clickjacking and CSRF
jonas at sicking.cc
Wed Jul 15 18:24:44 PDT 2009
On Wed, Jul 15, 2009 at 5:26 PM, Ian Hickson<ian at hixie.ch> wrote:
> There have been a number of discussions about clickjacking,
> X-Frame-Options, and other proposals.
> Nobody I've spoken to seems especially happy with X-Frame-Options, and
> none of the other proposals have yet gotten serious traction.
> I have therefore not added anything of this nature to the HTML5 spec yet.
> I propose that from a standardisation perspective, we continue to wait to
> get more implementation experience and document the end result once we
> are more confident that a long-term solution has been found.
> I recommend that people interested in this field work with browser vendors
> to get experimental implementations of their proposals, so that we can
> study their effects on Web content.
Note that Content Security Policies can be used to deal with
clickjacking. So far we've gotten a lot of positive feedback to CSP
and are in progress of implementing it in firefox. So it's a possible
solution to this.
More information about the whatwg