- From: Dennis Joachimsthaler <dennis@efjot.de>
- Date: Tue, 02 Aug 2011 12:48:06 +0200
Am 02.08.2011, 12:38 Uhr, schrieb Anne van Kesteren <annevk at opera.com>: > On Tue, 02 Aug 2011 12:33:18 +0200, Dennis Joachimsthaler > <dennis at efjot.de> wrote: >> I took a look at the X-Frame-Options and it only disallows displaying >> in a frame, not forbidding only script access. > > What kind of script access is allowed cross-origin that you are > concerned about? > > I agree that just disallowing that the page gets shown is one solution but I am mainly concerned about reading important information out of an iframe site. Say, there's a site which uses an autologin facility to automatically log their users in when the site is opened. Malicious guy #1 prepares a site that loads the same site in an iframe. The site with the precious information could now do either: a) Use a javascript to try getting the "top" site off the iframe (top.location) If it's sandboxed and top.location is disallowed, this doesn't help. b) Use the X-Frame-Options header Doesn't work in all browsers! (But seriously, this would be also a weakness of my proposition, so I give it that) Also what if he wants to allow his content framed? This is a use case when theres a cross-site login system using a frame. Of course the login provider does not want the site that uses it spies the login info from his clients. I just had another idea: The same protection would apply to pop-ups.
Received on Tuesday, 2 August 2011 03:48:06 UTC