IE8 'ClickJacking' security defenses

One of the most subtle and interesting web application security vulnerabilities is called Cross Site Request Forgery (CSRF), known as ClickJacking. As we designed Internet Explorer 8 as of now RC1, we had to be very careful not to increase the browser’s attack surface for CSRF attacks. IE8’s new XDomainRequest object, for instance, allows cross-domain communication […]

One of the most subtle and interesting web application security vulnerabilities is called Cross Site Request Forgery (CSRF), known as ClickJacking. As we designed Internet Explorer 8 as of now RC1, we had to be very careful not to increase the browser’s attack surface for CSRF attacks. IE8’s new XDomainRequest object, for instance, allows cross-domain communication upon explicit permission of the server, but contains specific restrictions to ensure that new types of CSRF attacks are not made possible. End-users can mitigate the impact of CSRF attacks by logging out of sensitive websites when not in use, and by browsing in independent InPrivate Browsing sessions.[…]

Full Article