W3C home > Mailing lists > Public > www-html@w3.org > August 2002

xframes: security/abuse

From: Michael Facius <m.facius@eomedia.de>
Date: Sat, 10 Aug 2002 15:08:55 -0400 (EDT)
Message-ID: <000501c240a1$55f33630$6f01a8c0@nastyserver>
To: <www-html@w3.org>

Site builders abused HTML frames by including external pages into their framesets instead of loading them in a new frameset or window. With XFrames, you cannot just do that, but also might anyone modify a given frameset by just changing the argument URIs. 

For instance, think of a shop frameset buy.xfm#frames(nav=menu.html,main=orderform.html). Some malicious evil.org might set a link to that frameset on its page, rewriting it as buy.xfm#frames(nav=menu.html,main=http://www.evil.org/orderform.html), with its orderform.html being a copy of the original, but having a different action for the <form> that reroutes entered information to the evil.org server, stores it in a database and sells it to a spam company. Anyone not familiar with URIs and xframes syntax, anyone being unalert wouldn't notice the subtle difference.

I am unsure if this is a problem an xframes specification could or should handle. Probably user agents should offer security levels allowing and disallowing absolute/external uris in xframes URIs. Anyway, abuse is a issue the working group should not entirely leave to implementations.

Best regards,
Michael Facius
Received on Sunday, 11 August 2002 23:18:32 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:06:00 UTC