Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
ClickJackingModule (was Re: Comments on the Content Security Policy specification)
0 views
Skip to first unread message
Adam Barth
Oct 20, 2009, 9:50:55 PM10/20/09
to Devdatta, dev-se...@lists.mozilla.org, Lucas Adamski
Thanks Devdatta. One of the nice thing about separating the
clickjacking concerns from the XSS concerns is that developers can
deploy a policy like
clickjacking concerns from the XSS concerns is that developers can
deploy a policy like
X-Content-Security-Policy: frame-ancestors self
without having to make sure that all the setTimeout calls in their web
app use function objects instead of strings.
Adam
On Tue, Oct 20, 2009 at 6:05 PM, Devdatta <dev.a...@gmail.com> wrote:
> On a related note, just to have one more example (and for my learning)
> , I went ahead and wrote a draft for ClickJackingModule.
> https://wiki.mozilla.org/Security/CSP/ClickJackingModule
>
> In general I like how short and simple each individual module is.
>
> Cheers
> Devdatta
Lucas Adamski
Oct 20, 2009, 10:02:48 PM10/20/09
to Adam Barth, dev-se...@lists.mozilla.org, Devdatta
Note that the XSS mitigations can be opted out of, so we shouldn't
assume that mitigating something specific like clickjacking requires
XSS mitigations in the current proposal.
Lucas.
assume that mitigating something specific like clickjacking requires
XSS mitigations in the current proposal.
Lucas.
0 new messages