[cap-talk] If a user is clickjacked in a forest, does it leak authority?
daw at cs.berkeley.edu
Fri Mar 27 20:16:25 EDT 2009
Sam Mason wrote:
> In the example given by Chip; what would prevent an attacker from
> performing an XMLHttpRequest and getting a copy of A for themselves,
> parsing out the link to page B and going from there?
The same-origin policy. Scripts can only access pages from the same
origin via XMLHttpRequest. The threat model for clickjacking is malicious
site X tries to attack victim site Y -- two different origins, so your
XMLHttpRequest approach doesn't apply.
More information about the cap-talk