On Wed, 17 Aug 2011, Rob Ennals wrote: > > I'd like to present a proposal for a minimal API that would allow > clickjacking prevention, while still allowing useful cross-domain > iframing such as share buttons etc. > > To allow an iframe to detect clickjacking, the browser would provide > API functions to determine the following: > * The origins of all enclosing documents > * The size of the iframe viewport > * Whether any of the iframe content might be covered by something else > - scrolled into view, and no overlapping rectangles with higher z-order > * It's absolute position in the window > * The complete computed style applied to the iframe (e.g. is it zoomed > or transparent) > * Receive an event whenever any of these change > * Any other information I've forgotten that might indicate clickjacking
Why not just have the user agent provide a single boolean isClickJacked? I mean, there's no reason the browser wouldn't be able to do the same work that a library could, is there? On Thu, 18 Aug 2011, Rob Ennals wrote: > On Thu, Aug 18, 2011 at 1:53 AM, Anne van Kesteren <[email protected]> wrote: > > > > APIs fail with <iframe sandbox>. > > I don't think sandbox would be a problem. If scripts are disabled with > <iframe sandbox> then the page wouldn't run the script that turns > everything on. Do we really want to say that pages should only work with JS enabled? It's not clear to me why X-Frame-Options doesn't solve the problem here. Why would a sensitive site allow itself to be framed by non-same-origin pages anyway? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
