- From: Perry Smith <pedzsan@gmail.com>
- Date: Fri, 21 May 2010 12:46:35 -0500
On May 19, 2010, at 8:14 PM, Collin Jackson wrote: > On Wed, May 19, 2010 at 4:57 PM, Adam Barth <w3c at adambarth.com> wrote: > Virtually none of the JavaScript framebusting scripts used by web > sites are effective. > > Yes. If anyone would like to see more evidence of this, here's a recent study of the Alexa Top 500 web sites. None of them were framebusting correctly with JavaScript. > > http://w2spconf.com/2010/papers/p27.pdf This probably is not the right list for this but seems like the X-FRAME-OPTIONS http header could be strengthened by having the UA send all requests from pages that have the X-FRAME-OPTIONS to also containt either the X-FRAME-OPTIONS or another tag. One weakness pointed out in the paper is that proxies can strip the header. If the server doesn't see the header come back, it would know that it got stripped out and the request needs to be questioned. I don't know if there is a way to introduced "fake" http headers into requests or not. If there is, that would need to be addressed too. Perry -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100521/ae5df3d2/attachment-0001.htm>
Received on Friday, 21 May 2010 10:46:35 UTC