- From: Dennis Joachimsthaler <dennis@efjot.de>
- Date: Tue, 02 Aug 2011 12:21:31 +0200
I think this needs a better thread title... Feel free to change it. I've been having this idea. Usually when you insert an <iframe>, for example you can easily manipulate it's DOM structure. There is no way to prevent this, or? The top document can even just sandbox the iframe and allow scripts, but not allow top navigation. In this case the sandboxed iframe is stuck. The top can do whatever it wants with it, unless the sandbox does some weird combination of javascript that might save it from manipulation. Many sites do this, but some do not! I propose a <head> or <html> attribute or tag which puts the document into a "protected" mode, thus preventing it from being put into an iframe and/or manipulated. The dangers of this situation could be as follows: Somebody puts <insert social network here> into an iframe, making you log in automatically. He has now access to your data. Instantly. When you access any site. Proposing a very easy to implement protection from iframe manipulation is something that would be very helpful for webmasters. A few ideas of implementation: <html topmanipulation="protected"> <html protected> <html topprotected> <html contentprotected> <body contentprotected> <body contentprotected="all"> could protect it from all script access. This could be sent for webserver responses that MUST NOT be caught by anything (user scripts?). Also being able to apply this to any container tag, if someone wants to fine-grain the security.
Received on Tuesday, 2 August 2011 03:21:31 UTC