[whatwg] Allowing Clickjacking Prevention using a Minimal Javascript API
Ian Hickson
ian at hixie.ch
Tue Jan 24 12:46:49 PST 2012
On Wed, 17 Aug 2011, Rob Ennals wrote:
>
> I'd like to present a proposal for a minimal API that would allow
> clickjacking prevention, while still allowing useful cross-domain
> iframing such as share buttons etc.
>
> To allow an iframe to detect clickjacking, the browser would provide
> API functions to determine the following:
> * The origins of all enclosing documents
> * The size of the iframe viewport
> * Whether any of the iframe content might be covered by something else
> - scrolled into view, and no overlapping rectangles with higher z-order
> * It's absolute position in the window
> * The complete computed style applied to the iframe (e.g. is it zoomed
> or transparent)
> * Receive an event whenever any of these change
> * Any other information I've forgotten that might indicate clickjacking
Why not just have the user agent provide a single boolean isClickJacked? I
mean, there's no reason the browser wouldn't be able to do the same work
that a library could, is there?
On Thu, 18 Aug 2011, Rob Ennals wrote:
> On Thu, Aug 18, 2011 at 1:53 AM, Anne van Kesteren <annevk at opera.com> wrote:
> >
> > APIs fail with <iframe sandbox>.
>
> I don't think sandbox would be a problem. If scripts are disabled with
> <iframe sandbox> then the page wouldn't run the script that turns
> everything on.
Do we really want to say that pages should only work with JS enabled?
It's not clear to me why X-Frame-Options doesn't solve the problem here.
Why would a sensitive site allow itself to be framed by non-same-origin
pages anyway?
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list