- From: Michael Facius <m.facius@eomedia.de>
- Date: Sat, 10 Aug 2002 15:08:55 -0400 (EDT)
- To: <www-html@w3.org>
Site builders abused HTML frames by including external pages into their framesets instead of loading them in a new frameset or window. With XFrames, you cannot just do that, but also might anyone modify a given frameset by just changing the argument URIs. For instance, think of a shop frameset buy.xfm#frames(nav=menu.html,main=orderform.html). Some malicious evil.org might set a link to that frameset on its page, rewriting it as buy.xfm#frames(nav=menu.html,main=http://www.evil.org/orderform.html), with its orderform.html being a copy of the original, but having a different action for the <form> that reroutes entered information to the evil.org server, stores it in a database and sells it to a spam company. Anyone not familiar with URIs and xframes syntax, anyone being unalert wouldn't notice the subtle difference. I am unsure if this is a problem an xframes specification could or should handle. Probably user agents should offer security levels allowing and disallowing absolute/external uris in xframes URIs. Anyway, abuse is a issue the working group should not entirely leave to implementations. Best regards, Michael Facius
Received on Sunday, 11 August 2002 23:18:32 UTC