>
>
> This is a good point. Clickjacking could be addressed by designing a way
> to ensure an element is "on top" (a master z-index?) and also ensuring that
> the button is visible for at least {the time it takes for a human to
> recognize a button}+1 before it can be pressed.
>
>
No, this does not take into account visibility via the CSS visibility,
opacity and clip properties, or content containment+masking via frames.
The only implementation I know of that actually manages to "enforce"
visibility is the QuickTime plugin running in Firefox and Chrome. Even
then, there's nothing it can do about content obscuring it or making it
look like something else without actually covering it.
What would be wrong with using the same UI from Geolocation access for
something like camera access? An API method requests that the user grant
camera permissions, which shows them the appropriate dialog to confirm.
Events are fired to inform the requesting application whether it was
granted access or not. It could even differentiate between video
recordings and still picture taking, as long as there was a limited
"preview" API (perhaps a low-quality media stream).
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
