- From: Clover Andrew <aclover@1VALUE.com>
- Date: Tue, 2 Jan 2001 15:32:32 +0100
- To: "'www-style@w3.org'" <www-style@w3.org>
> It is. IFRAMEs work properly now
Interesting. Has there been a discussion of security implications
of this?
Is there anything to prevent a hostile page[1] from displaying
an apparently authentic target site[2] in an <iframe> with overlaid
content belonging to the hostile site?
This would seem to open the door to attacks where form contents are
submitted somewhere other than where the user would expect, in
particular.
[1] esp. a typosquatter or owner of the same name on a different
TLD, so the URL discrepency is less likely to be noticed.
[2] worse than a simple impersonation attack in that the content
does come from the target site, and is accessed using the user's
privileges, cf. client-side trojan.
--
Andrew Clover
Technical Support
1VALUE.com AG
Received on Tuesday, 2 January 2001 09:39:25 UTC