[cap-talk] If a user is clickjacked in a forest, does it leak authority?

David Wagner daw at cs.berkeley.edu
Fri Mar 27 20:16:25 EDT 2009

Sam Mason  wrote:
> In the example given by Chip; what would prevent an attacker from
> performing an XMLHttpRequest and getting a copy of A for themselves,
> parsing out the link to page B and going from there?

The same-origin policy.  Scripts can only access pages from the same
origin via XMLHttpRequest.  The threat model for clickjacking is malicious
site X tries to attack victim site Y -- two different origins, so your
XMLHttpRequest approach doesn't apply.

More information about the cap-talk mailing list