[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Bil Corry bil at corry.biz
Wed Feb 18 12:31:58 PST 2009


Boris Zbarsky wrote on 2/18/2009 9:27 AM: 
> On Thu, 25 Sep 2008, Michal Zalewski wrote:
>> 1) Create a HTTP-level (or HTTP-EQUIV) mechanism along the lines of
>>    "X-I-Do-Not-Want-To-Be-Framed-Across-Domains: yes" that permits a web
>>    page to inhibit frame rendering in potentially dangerous situations.
>>
>>    Pros:
>>
>>    - Super-simple
>>
>>    Cons:
>>
>>    - "Opt-in", i.e. currently vulnerable sites remain vulnerable unless
>>      action is taken
> 
> Right.  And really no different from:
> 
>   <script>
>     if (window != window.top)
>       window.top.location.href = window.location.href;
>   </script>
> 
> in effect, right?  This last already works in all browsers except IE,
> which is presumably why IE felt the need to add another way to do it.

Supposedly, a future release of IE8 will fix this (see Issue #4):

	http://ha.ckers.org/blog/20081007/clickjacking-details/


> There _is_ an issue here if script is disabled, of course.  In that
> case, are there still situations where the parent frame can effectively
> mislead the user?

One solution I've seen is to position a giant <div> over the page so that nothing is clickable when JavaScript is disabled:

	<script>if (top != self) top.location = location</script>
	<noscript><div style="position:absolute;left:0;top:0;z-index:999;width:10000px;height:10000px;background-color:black;color:white;">This page requires JavaScript</div></noscript>

Of course, that breaks the site for anyone surfing without JavaScript.



- Bil




More information about the whatwg mailing list