21
edits
Security/CSP/ClickJackingModule: Difference between revisions
Jump to navigation
Jump to search
Security/CSP/ClickJackingModule (view source)
Revision as of 07:12, 22 October 2009
, 22 October 2009→Open Issues
(draft clickjacking module) |
|||
| Line 31: | Line 31: | ||
= Open Issues = | = Open Issues = | ||
* The threat and the solution seem to be disconnected. If the goal is to protect against unintentional clicks, then maybe a fine grained display separation requirement / click confirmation dialog requirement should be made. If the solution is this, then the goal should be rewritten as 'control resource embedding'. | * The threat and the solution seem to be disconnected. If the goal is to protect against unintentional clicks, then maybe a fine grained display separation requirement / click confirmation dialog requirement (like ClearClick) should be made. If the solution is this, then the goal should be rewritten as 'control resource embedding'. | ||
* Another possible ClickJacking scenario is if the website is embedding another iframe - the embedded frame could cover up some area of the site. (http://www.cs.berkeley.edu/~devdatta/1.html for a trivial e.g). Currently this is not in the threat model (nor is it explicitly outside the threat model. We should figure out what we want to do in this case. | |||
[1] https://wiki.mozilla.org/Security/CSP/Spec#frame-ancestors | [1] https://wiki.mozilla.org/Security/CSP/Spec#frame-ancestors | ||