Re: Sandboxed iframes (was Re: Seamless iframes + CSS3 selectors = bad idea) from sird@rckc.at on 2009-12-08 (public-web-security@w3.org from December 2009)

From: <sird@rckc.at>
Date: Tue, 8 Dec 2009 14:10:43 +0800
To: Adam Barth <w3c@adambarth.com>
Cc: gaz Heyes <gazheyes@gmail.com>, Maciej Stachowiak <mjs@apple.com>, Boris Zbarsky <bzbarsky@mit.edu>, Ian Hickson <ian@hixie.ch>, public-web-security@w3.org
Message-ID: <8ba534860912072210r3318494aq94974d8871b0cc99@mail.gmail.com>

So now we should convince all developers in the world to start changing
their layout to that haha..

Nah I'm kidding.. this code + X-FRAME-OPTIONS should protect people against
clickjacking:

<html>
<head>
<script type="text/javascript">if(top!=self)document.write("<plaintext
style=display:none>");</script>
<noscript><plaintext style=display:none/></noscript>

Greetings!!
-- Eduardo
http://www.sirdarckcat.net/

Sent from Hangzhou, 33, China

On Tue, Dec 8, 2009 at 2:07 PM, Adam Barth <w3c@adambarth.com> wrote:

> On Mon, Dec 7, 2009 at 9:23 PM, sird@rckc.at <sird@rckc.at> wrote:
> > Adam, the Webkit XSS Filter can disable twitter's protection:
>
> Oh, I thought they were doing something more clever.
>
> > So actually...  in my opinion, the correct way is this one: (idea by
> david
> > ross)
> >
> > http://sla.ckers.org/forum/read.php?2,32339#msg-32343
>
> Ah, that's cute.  David Ross is a smart guy.
>
> Adam
>

Received on Tuesday, 8 December 2009 06:11:43 UTC