The Web Application Security Working Group at the W3C is nearing one year since its charter was approved. In that time, it’s made some quite important progress. Content Security Policy (CSP) 1.0 is fast approaching Working Group Last Call, version 1.1 is under draft, and Cross-Origin Resource Sharing (CORS) has completed Working Group Last Call with a new security considerations section. Congratulations and thanks to the editors Anne van Kesteren, Adam Barth and Brandon Sterne.
The other threat this WG was chartered to address was clickjacking. Since its flashy debut five years ago, clickjacking and other variants on user interface redressing attacks have remained a quiet thorn in the side of web application authors and security teams. With X-Frame-Options as the only commonly implemented solution to emerge in that time, vulnerable applications are left with the unappealing choice of accepting the risk of clickjacking or opting-out of in-context display altogether. With the increasing popularity of in-context mashups for applications like social networking, shopping and payments, the risks to users and the potential profits for attackers are quite real.
This is why I’m so pleased that at the WebAppSec WG’s second face to face meeting on May 2-3, a real start was made towards effective risk mitigation for many forms of clickjacking. At the end of a session devoted to clickjacking, the WG agreed to proceed towards standardizing a combination of client-side detection heuristics, informed by application-supplied policy hints, with a reporting loop that can feed into server-side anti-fraud systems. Web security pioneer Giorgio Maone, author of NoScript, has generously volunteered to edit the new specification and contribute the techniques he developed with ClearClick. David Lin-Shung Huang will co-edit, bringing his own insights and refinements from research into anti-clickjacking technology at Carnegie-Mellon University Silicon Valley and Microsoft Research.
I’m also happy that some of the research we’ve been doing here at PayPal on anti-fraud analytics and clickjacking will be contributed to the standard, to help close the loop between user agent detection and application response and remove the need for yet another browser security dialog box. You can read more about that work for the first time here:
If you’re interested in helping to fix clickjacking, please follow the WG's progress at [email protected].
- Brad Hill