On Thu, Jul 7, 2011 at 11:35 PM, Eran Hammer-Lahav <e...@hueniverse.com>wrote:
> Can this be reworked to discuss the authorization endpoint specifically? > The use of 'target' site is confusing. This section needs to be much more > specific to the authorization process. > Just chiming in to say that I am happy this language is being added. The currently proposed text is good starting point, and I agree with Eran's last recommendation. > > EHL > > > -----Original Message----- > > From: Mark Mcgloin [mailto:mark.mcgl...@ie.ibm.com] > > Sent: Wednesday, July 06, 2011 8:56 AM > > To: Eran Hammer-Lahav > > Cc: oauth@ietf.org; Torsten Lodderstedt > > Subject: Re: [OAUTH-WG] Draft 16 Security Considerations additions > > > > > > > > Clickjacking > > Clickjacking is the process of tricking users into revealing confidential > > information or taking control of their computer while clicking on > seemingly > > innocuous web pages. In more detail, a malicious site loads the target > site in a > > transparent iframe overlaid on top of a set of dummy buttons which are > > carefully constructed to be placed directly under important buttons on > the > > target site. When a user clicks a visible button, they are actually > clicking a > > button (such as an "Authorize" button) on the hidden page. > > To prevent clickjacking (and phishing attacks), native applications > SHOULD > > use external browsers instead of embedding browsers in an iFrame when > > requesting end-user authorization. For newer browsers, avoidance of > > iFrames can be enforced server side by using the X-FRAME-OPTION header. > > This header can have two values, deny and sameorigin, which will block > any > > framing or framing by sites with a different origin, respectively. For > older > > browsers, javascript framebusting techniques can be used but may not be > > effective in all browsers. > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Breno de Medeiros
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
