Thanks Devdatta. One of the nice thing about separating the clickjacking concerns from the XSS concerns is that developers can deploy a policy like
X-Content-Security-Policy: frame-ancestors self without having to make sure that all the setTimeout calls in their web app use function objects instead of strings. Adam On Tue, Oct 20, 2009 at 6:05 PM, Devdatta <[email protected]> wrote: > On a related note, just to have one more example (and for my learning) > , I went ahead and wrote a draft for ClickJackingModule. > https://wiki.mozilla.org/Security/CSP/ClickJackingModule > > In general I like how short and simple each individual module is. > > Cheers > Devdatta _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
