- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Wed, 18 Feb 2009 10:27:47 -0500
On Thu, 25 Sep 2008, Michal Zalewski wrote: > 1) Create a HTTP-level (or HTTP-EQUIV) mechanism along the lines of > "X-I-Do-Not-Want-To-Be-Framed-Across-Domains: yes" that permits a web > page to inhibit frame rendering in potentially dangerous situations. > > Pros: > > - Super-simple > > Cons: > > - "Opt-in", i.e. currently vulnerable sites remain vulnerable unless > action is taken Right. And really no different from: <script> if (window != window.top) window.top.location.href = window.location.href; </script> in effect, right? This last already works in all browsers except IE, which is presumably why IE felt the need to add another way to do it. There _is_ an issue here if script is disabled, of course. In that case, are there still situations where the parent frame can effectively mislead the user? > 2) Add a document-level mechanism to make "if nested <show this> else > <show that>" conditionals possible without Javascript. One proposal is > to do this on the level of CSS (by using either the media-dependency > features of CSS or special classes); another is to introduce new HTML > tags. This would make it possible for pages to defend themselves even > in environments where Javascript is disabled or limited. Right, addressing the concern above. The pro is that it ties information directly to the document. The con is that it's harder to deploy site-wide.... Is that a concern? -Boris
Received on Wednesday, 18 February 2009 07:27:47 UTC