Note that the XSS mitigations can be opted out of, so we shouldn't
assume that mitigating something specific like clickjacking requires
XSS mitigations in the current proposal.
Lucas.
On Oct 20, 2009, at 6:50 PM, Adam Barth wrote:
Thanks Devdatta. One of the nice thing about separating the
clickjacking concerns from the XSS concerns is that developers can
deploy a policy like
X-Content-Security-Policy: frame-ancestors self
without having to make sure that all the setTimeout calls in their web
app use function objects instead of strings.
Adam
On Tue, Oct 20, 2009 at 6:05 PM, Devdatta dev.akh...@gmail.com
wrote:
On a related note, just to have one more example (and for my
learning)
, I went ahead and wrote a draft for ClickJackingModule.
https://wiki.mozilla.org/Security/CSP/ClickJackingModule
In general I like how short and simple each individual module is.
Cheers
Devdatta
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security