ClickJackingModule (was Re: Comments on the Content Security Policy specification)

[Adam Barth]

Thanks Devdatta.  One of the nice thing about separating the
clickjacking concerns from the XSS concerns is that developers can
deploy a policy like

X-Content-Security-Policy: frame-ancestors self

without having to make sure that all the setTimeout calls in their web
app use function objects instead of strings.

Adam


On Tue, Oct 20, 2009 at 6:05 PM, Devdatta dev.akh...@gmail.com wrote:
 On a related note, just to have one more example (and for my learning)
 , I went ahead and wrote a draft for ClickJackingModule.
 https://wiki.mozilla.org/Security/CSP/ClickJackingModule

 In general I like how short and simple each individual module is.

 Cheers
 Devdatta
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security

Re: ClickJackingModule (was Re: Comments on the Content Security Policy specification)

[Lucas Adamski]

Note that the XSS mitigations can be opted out of, so we shouldn't  
assume that mitigating something specific like clickjacking requires  
XSS mitigations in the current proposal.

  Lucas.

On Oct 20, 2009, at 6:50 PM, Adam Barth wrote:


Thanks Devdatta.  One of the nice thing about separating the
clickjacking concerns from the XSS concerns is that developers can
deploy a policy like

X-Content-Security-Policy: frame-ancestors self

without having to make sure that all the setTimeout calls in their web
app use function objects instead of strings.

Adam


On Tue, Oct 20, 2009 at 6:05 PM, Devdatta dev.akh...@gmail.com  
wrote:
On a related note, just to have one more example (and for my  
learning)

, I went ahead and wrote a draft for ClickJackingModule.
https://wiki.mozilla.org/Security/CSP/ClickJackingModule

In general I like how short and simple each individual module is.

Cheers
Devdatta


___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security