[cap-talk] If a user is clickjacked in a forest, does it leak authority?
Karp, Alan H
alan.karp at hp.com
Fri Mar 27 11:42:03 EDT 2009
Sam Mason wrote:
> In the example given by Chip; what would prevent an attacker from
> performing an XMLHttpRequest and getting a copy of A for themselves,
> parsing out the link to page B and going from there?
Then anyone with access to page A has access to page B and all the rights it contains. There's no need to induce the user to click anything. In Chip's scenario, page A does not contain the URL for page B, just a way to tell some component to open page B in a separate window. Since the URL for page B is unguessable, page B is not subject to clickjacking.
Virus Safe Computing Initiative
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
More information about the cap-talk