[whatwg] Dealing with UI redress vulnerabilities inherent to the current web
bil at corry.biz
Wed Feb 18 12:31:58 PST 2009
Boris Zbarsky wrote on 2/18/2009 9:27 AM:
> On Thu, 25 Sep 2008, Michal Zalewski wrote:
>> 1) Create a HTTP-level (or HTTP-EQUIV) mechanism along the lines of
>> "X-I-Do-Not-Want-To-Be-Framed-Across-Domains: yes" that permits a web
>> page to inhibit frame rendering in potentially dangerous situations.
>> - Super-simple
>> - "Opt-in", i.e. currently vulnerable sites remain vulnerable unless
>> action is taken
> Right. And really no different from:
> if (window != window.top)
> window.top.location.href = window.location.href;
> in effect, right? This last already works in all browsers except IE,
> which is presumably why IE felt the need to add another way to do it.
Supposedly, a future release of IE8 will fix this (see Issue #4):
> There _is_ an issue here if script is disabled, of course. In that
> case, are there still situations where the parent frame can effectively
> mislead the user?
<script>if (top != self) top.location = location</script>
More information about the whatwg