[whatwg] Allowing Clickjacking Prevention using a Minimal Javascript API

Rob Ennals rje at google.com
Thu Aug 18 08:49:35 PDT 2011

On Thu, Aug 18, 2011 at 1:53 AM, Anne van Kesteren <annevk at opera.com> wrote:
> On Thu, 18 Aug 2011 00:51:39 +0200, Rob Ennals <rje at google.com> wrote:
>> Thoughts?
> APIs fail with <iframe sandbox>.

I don't think sandbox would be a problem. If scripts are disabled with
<iframe sandbox> then the page wouldn't run the script that turns
everything on.

Similarly, if the browser doesn't support the extra APIs, then the
script would know that it didn't have clickjacking protection, and
would enter a more conservative mode - e.g. opening a new window to do
particularly sensitive operations.

> --
> Anne van Kesteren
> http://annevankesteren.nl/

More information about the whatwg mailing list