W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Sandboxed iframes (was Re: Seamless iframes + CSS3 selectors = bad idea)

From: <sird@rckc.at>
Date: Tue, 8 Dec 2009 14:13:15 +0800
Message-ID: <8ba534860912072213ob6e628du99f57bf9c29ed365@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: gaz Heyes <gazheyes@gmail.com>, Maciej Stachowiak <mjs@apple.com>, Boris Zbarsky <bzbarsky@mit.edu>, Ian Hickson <ian@hixie.ch>, public-web-security@w3.org
Btw, X-FRAME-OPTIONS is only needed for Webkit.. IE's filter is compatible
with the aforementoned solution.

-- Eduardo
http://www.sirdarckcat.net/

Sent from Hangzhou, 33, China

On Tue, Dec 8, 2009 at 2:10 PM, sird@rckc.at <sird@rckc.at> wrote:

> So now we should convince all developers in the world to start changing
> their layout to that haha..
>
> Nah I'm kidding.. this code + X-FRAME-OPTIONS should protect people against
> clickjacking:
>
> <html>
> <head>
> <script type="text/javascript">if(top!=self)document.write("<plaintext
> style=display:none>");</script>
> <noscript><plaintext style=display:none/></noscript>
>
> Greetings!!
>
> -- Eduardo
> http://www.sirdarckcat.net/
>
> Sent from Hangzhou, 33, China
>
> On Tue, Dec 8, 2009 at 2:07 PM, Adam Barth <w3c@adambarth.com> wrote:
>
>> On Mon, Dec 7, 2009 at 9:23 PM, sird@rckc.at <sird@rckc.at> wrote:
>> > Adam, the Webkit XSS Filter can disable twitter's protection:
>>
>> Oh, I thought they were doing something more clever.
>>
>> > So actually...  in my opinion, the correct way is this one: (idea by
>> david
>> > ross)
>> >
>> > http://sla.ckers.org/forum/read.php?2,32339#msg-32343
>>
>> Ah, that's cute.  David Ross is a smart guy.
>>
>> Adam
>>
>
>
Received on Tuesday, 8 December 2009 06:14:08 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT