[whatwg] HTML5 frame navigation policy
hk9565 at gmail.com
Tue Apr 29 17:56:14 PDT 2008
A couple points about Section 4.1.4:
1) The spec, as written, prohibits frame-busting.
Test case: <http://crypto.stanford.edu/~abarth/research/html5/frame-busting/>
* Internet Explorer 8 beta: Navigation allowed.
* Firefox 3 nightly: Navigation allowed.
* Safari 3.1: Navigation allowed.
* Opera 9: Navigation allowed.
Frame-busting is used by many sites, including the Yahoo sign-in page.
The Yahoo sign-in page uses frame-busting to avoid showing it's
trusted sign-in image while being framed by an attacker (who can
overlay his own password field on top of Yahoo's).
2) The spec reads "The browsing context B an auxiliary browsing
context and either its opener browsing context is A or A is allowed to
naviga e B's opener browsing context." This is redundant because if
B's opener browser context is A, then A is allowed to navigate B's
opener browsing context.
3) Consider the following set of frames. A opens X, which opens B.
Now A attempts to navigate B.
Test case: <http://crypto.stanford.edu/~abarth/research/html5/transitive-opener/>
* Internet Explorer 8 beta: Navigation allowed (IE does not implement
an opener restriction).
* Firefox 3 nightly: Navigation denied.
* Safari 3.1: Navigation allowed (Safari does not implement an opener
* Opera 9: Navigation denied.
The spec allows this navigation because it says "A is allowed to
navigate B's opener browsing context." Now, A is allowed to navigate
X (by this rule), which means A is also allowed to navigate B (by a
second application of this rule).
I don't have access to the Opera source code, but Firefox's opener
restriction computes just one level of recursion. Note the branch at
and that the function passes PR_FALSE for the parameter
aConsiderOpener when it calls itself recursively.
On Tue, Apr 29, 2008 at 2:11 AM, Ian Hickson <ian at hixie.ch> wrote:
> On Tue, 29 Jan 2008, Collin Jackson wrote:
> > On Oct 26, 2007 3:51 PM, Adam Barth <hk9565 at gmail.com> wrote:
> > > Collin Jackson and I have been looking at the frame navigation policy
> > > of various browsers and have a suggestion for improving the frame
> > > navigation policy in the HTML5 spec. As we understand the spec ,
> > > it is stricter than IE7, Firefox 2, IE6, and Safari 3.
> > Since Adam sent this original email, we've been working with browser
> > vendors to deploy the Ancestor frame navigation policy in browsers. A
> > description of this policy can be found at
> > <http://crypto.stanford.edu/frames/>.
> > By adopting this policy, HTML5 will match Internet Explorer, Firefox,
> > and Safari.
> Ian Hickson U+1047E )\._.,--....,'``. fL
> http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
> Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg