[cap-talk] If a user is clickjacked in a forest, does it leak authority?

David Wagner daw at cs.berkeley.edu
Thu Mar 26 20:40:57 EDT 2009


Chip Morningstar  wrote:
> Page A is generated by the webserver using ambient user credentials of
> some kind, such as cookies, such that it ends up containing a clickable
> link that opens page B in a new window.
>
> If I understand things properly, a clickjacking attack on Page A can trick
> the user into opening a window onto Page B, but once that has happened,
> the attacker is not left with any means to actually wield the authorities
> on Page B nor any obvious (to me) means to trick the user into wielding
> one of those authorities on its behalf.

I gather the key part is that page B opens in a new window/tab
(otherwise it seems like a two-stage clickjack would be possible).
I'd also like to be able to assume that Page B contains no content
controlled by any untrusted party (OK?).
Under these assumptions, I can't see any attack.

Tyler or MarcS would probably be in a better position to answer
than I, though, as I don't really know the powers of the browser
DOM API very well.


More information about the cap-talk mailing list