[cap-talk] If a user is clickjacked in a forest, does it leak authority?

Karp, Alan H alan.karp at hp.com
Fri Mar 27 11:42:03 EDT 2009

Sam Mason wrote:
> In the example given by Chip; what would prevent an attacker from
> performing an XMLHttpRequest and getting a copy of A for themselves,
> parsing out the link to page B and going from there?
Then anyone with access to page A has access to page B and all the rights it contains.  There's no need to induce the user to click anything.  In Chip's scenario, page A does not contain the URL for page B, just a way to tell some component to open page B in a separate window.  Since the URL for page B is unguessable, page B is not subject to clickjacking.

Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029

More information about the cap-talk mailing list