- From: Bil Corry <bil@corry.biz>
- Date: Wed, 18 Feb 2009 14:31:58 -0600
Boris Zbarsky wrote on 2/18/2009 9:27 AM: > On Thu, 25 Sep 2008, Michal Zalewski wrote: >> 1) Create a HTTP-level (or HTTP-EQUIV) mechanism along the lines of >> "X-I-Do-Not-Want-To-Be-Framed-Across-Domains: yes" that permits a web >> page to inhibit frame rendering in potentially dangerous situations. >> >> Pros: >> >> - Super-simple >> >> Cons: >> >> - "Opt-in", i.e. currently vulnerable sites remain vulnerable unless >> action is taken > > Right. And really no different from: > > <script> > if (window != window.top) > window.top.location.href = window.location.href; > </script> > > in effect, right? This last already works in all browsers except IE, > which is presumably why IE felt the need to add another way to do it. Supposedly, a future release of IE8 will fix this (see Issue #4): http://ha.ckers.org/blog/20081007/clickjacking-details/ > There _is_ an issue here if script is disabled, of course. In that > case, are there still situations where the parent frame can effectively > mislead the user? One solution I've seen is to position a giant <div> over the page so that nothing is clickable when JavaScript is disabled: <script>if (top != self) top.location = location</script> <noscript><div style="position:absolute;left:0;top:0;z-index:999;width:10000px;height:10000px;background-color:black;color:white;">This page requires JavaScript</div></noscript> Of course, that breaks the site for anyone surfing without JavaScript. - Bil
Received on Wednesday, 18 February 2009 12:31:58 UTC