Ask HN: A Clickjacking Defense Suggestion?
The problem: when website has a post comments section that allows including html, attacker can post a link that utilizes clickjacking attack by posting a button that says i.e. click here! but when the user clicks it it deletes the account.
The traditional solution is validating such action by prompting with a required confirmation i.e Are you sure you want to delete the account? Or entering some text such as "delete" or the user's name.
I have a suggestion for a framework that utilizes contexts, which will defend sensitive actions more broadly and I would like to bring it up here.
What I suggest is to have context on every website section, such as comments and user's profile, so that when a logged in user is in the comments section they are only able to utilize front end's comment context. From the comments context the profile context will be invisible and the comments context is the only one that will be able to talk with the comments endpoint on the server.
Problem is solved? WDYT?
No comments yet.