[whatwg] Prevent a document from being manipulated by a "top" document
Dennis Joachimsthaler
dennis at efjot.de
Tue Aug 2 03:48:06 PDT 2011
Am 02.08.2011, 12:38 Uhr, schrieb Anne van Kesteren <annevk at opera.com>:
> On Tue, 02 Aug 2011 12:33:18 +0200, Dennis Joachimsthaler
> <dennis at efjot.de> wrote:
>> I took a look at the X-Frame-Options and it only disallows displaying
>> in a frame, not forbidding only script access.
>
> What kind of script access is allowed cross-origin that you are
> concerned about?
>
>
I agree that just disallowing that the page gets shown is one solution
but I am mainly concerned about reading important information out of
an iframe site.
Say, there's a site which uses an autologin facility to automatically
log their users in when the site is opened.
Malicious guy #1 prepares a site that loads the same site in an iframe.
The site with the precious information could now do either:
a) Use a javascript to try getting the "top" site off the iframe
(top.location)
If it's sandboxed and top.location is disallowed, this doesn't help.
b) Use the X-Frame-Options header
Doesn't work in all browsers!
(But seriously, this would be also a weakness of my proposition,
so I give it that)
Also what if he wants to allow his content framed?
This is a use case when theres a cross-site login system using a frame.
Of course the login provider does not want the site that uses it spies
the login info from his clients.
I just had another idea: The same protection would apply to pop-ups.
More information about the whatwg
mailing list