[whatwg] Allowing Clickjacking Prevention using a Minimal Javascript API

Ian Hickson ian at hixie.ch
Tue Jan 24 12:46:49 PST 2012

On Wed, 17 Aug 2011, Rob Ennals wrote:
> I'd like to present a proposal for a minimal API that would allow 
> clickjacking prevention, while still allowing useful cross-domain 
> iframing such as share buttons etc.
> To allow an iframe to detect clickjacking, the browser would provide
> API functions to determine the following:
> * The origins of all enclosing documents
> * The size of the iframe viewport
> * Whether any of the iframe content might be covered by something else
>     - scrolled into view, and no overlapping rectangles with higher z-order
> * It's absolute position in the window
> * The complete computed style applied to the iframe (e.g. is it zoomed
> or transparent)
> * Receive an event whenever any of these change
> * Any other information I've forgotten that might indicate clickjacking

Why not just have the user agent provide a single boolean isClickJacked? I 
mean, there's no reason the browser wouldn't be able to do the same work 
that a library could, is there?

On Thu, 18 Aug 2011, Rob Ennals wrote:
> On Thu, Aug 18, 2011 at 1:53 AM, Anne van Kesteren <annevk at opera.com> wrote:
> >
> > APIs fail with <iframe sandbox>.
> I don't think sandbox would be a problem. If scripts are disabled with 
> <iframe sandbox> then the page wouldn't run the script that turns 
> everything on.

Do we really want to say that pages should only work with JS enabled?

It's not clear to me why X-Frame-Options doesn't solve the problem here. 
Why would a sensitive site allow itself to be framed by non-same-origin 
pages anyway?

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list