Re: Sandboxed iframes (was Re: Seamless iframes + CSS3 selectors = bad idea) from sird@rckc.at on 2009-12-08 (public-web-security@w3.org from December 2009)

From: <sird@rckc.at>
Date: Tue, 8 Dec 2009 13:23:01 +0800
To: Adam Barth <w3c@adambarth.com>
Cc: gaz Heyes <gazheyes@gmail.com>, Maciej Stachowiak <mjs@apple.com>, Boris Zbarsky <bzbarsky@mit.edu>, Ian Hickson <ian@hixie.ch>, public-web-security@w3.org
Message-ID: <8ba534860912072123p35d2fa29p431b7f5dc04e55a7@mail.gmail.com>

Adam, the Webkit XSS Filter can disable twitter's protection:

As well as IE's

<script type="text/javascript">

//<![CDATA[
if (window.top !== window.self) {document.write =
"";window.top.location = window.self.location;
setTimeout(function(){document.body.innerHTML='';},1);window.self.onload=function(evt){document.body.innerHTML='';};}

//]]>
</script>


So actually...  in my opinion, the correct way is this one: (idea by david
ross)

http://sla.ckers.org/forum/read.php?2,32339#msg-32343

Greetz!!

-- Eduardo
http://www.sirdarckcat.net/

Sent from Hangzhou, 33, China

On Tue, Dec 8, 2009 at 12:10 PM, Adam Barth <w3c@adambarth.com> wrote:

> On Mon, Dec 7, 2009 at 7:56 PM, gaz Heyes <gazheyes@gmail.com> wrote:
> > Has an anyone raised the issue that sandboxed iframes actually enable
> > "clickjacking" when frame buster defences are applied?
> >
> > <iframe sandbox="allow-forms" src="http://twitter.com/login"></iframe>
> >
> > So here the spec says disable scripts but allow forms, this would render
> a
> > javascript frame breaker useless.
>
> Frame breakers are already useless.  You need to either do what
> Twitter does (refuse to show the page until you've verified that
> you're not in a frame) or use X-Frame-Options: deny.
>
> Adam
>

Received on Tuesday, 8 December 2009 05:24:03 UTC