Re: Sandboxed iframes (was Re: Seamless iframes + CSS3 selectors = bad idea) from Adam Barth on 2009-12-08 (public-web-security@w3.org from December 2009)

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 7 Dec 2009 20:10:21 -0800
To: gaz Heyes <gazheyes@gmail.com>
Cc: Maciej Stachowiak <mjs@apple.com>, Boris Zbarsky <bzbarsky@mit.edu>, Ian Hickson <ian@hixie.ch>, "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
Message-ID: <7789133a0912072010g24332b8fv5fe3e42f4fa214d7@mail.gmail.com>

On Mon, Dec 7, 2009 at 7:56 PM, gaz Heyes <gazheyes@gmail.com> wrote:
> Has an anyone raised the issue that sandboxed iframes actually enable
> "clickjacking" when frame buster defences are applied?
>
> <iframe sandbox="allow-forms" src="http://twitter.com/login"></iframe>
>
> So here the spec says disable scripts but allow forms, this would render a
> javascript frame breaker useless.

Frame breakers are already useless.  You need to either do what
Twitter does (refuse to show the page until you've verified that
you're not in a frame) or use X-Frame-Options: deny.

Adam

Received on Tuesday, 8 December 2009 04:11:26 UTC