Thanks Devdatta. One of the nice thing about separating the
clickjacking concerns from the XSS concerns is that developers can
deploy a policy like
X-Content-Security-Policy: frame-ancestors self
without having to make sure that all the setTimeout calls in their web
app use function objects
Note that the XSS mitigations can be opted out of, so we shouldn't
assume that mitigating something specific like clickjacking requires
XSS mitigations in the current proposal.
Lucas.
On Oct 20, 2009, at 6:50 PM, Adam Barth wrote:
Thanks Devdatta. One of the nice thing about separating