On Mon, Dec 7, 2009 at 7:56 PM, gaz Heyes <gazheyes@gmail.com> wrote: > Has an anyone raised the issue that sandboxed iframes actually enable > "clickjacking" when frame buster defences are applied? > > <iframe sandbox="allow-forms" src="http://twitter.com/login"></iframe> > > So here the spec says disable scripts but allow forms, this would render a > javascript frame breaker useless. Frame breakers are already useless. You need to either do what Twitter does (refuse to show the page until you've verified that you're not in a frame) or use X-Frame-Options: deny. AdamReceived on Tuesday, 8 December 2009 04:11:26 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT