[whatwg] Dealing with UI redress vulnerabilities inherent to the current web
Bil Corry
bil at corry.biz
Wed Feb 18 12:31:58 PST 2009
Boris Zbarsky wrote on 2/18/2009 9:27 AM:
> On Thu, 25 Sep 2008, Michal Zalewski wrote:
>> 1) Create a HTTP-level (or HTTP-EQUIV) mechanism along the lines of
>> "X-I-Do-Not-Want-To-Be-Framed-Across-Domains: yes" that permits a web
>> page to inhibit frame rendering in potentially dangerous situations.
>>
>> Pros:
>>
>> - Super-simple
>>
>> Cons:
>>
>> - "Opt-in", i.e. currently vulnerable sites remain vulnerable unless
>> action is taken
>
> Right. And really no different from:
>
> <script>
> if (window != window.top)
> window.top.location.href = window.location.href;
> </script>
>
> in effect, right? This last already works in all browsers except IE,
> which is presumably why IE felt the need to add another way to do it.
Supposedly, a future release of IE8 will fix this (see Issue #4):
http://ha.ckers.org/blog/20081007/clickjacking-details/
> There _is_ an issue here if script is disabled, of course. In that
> case, are there still situations where the parent frame can effectively
> mislead the user?
One solution I've seen is to position a giant <div> over the page so that nothing is clickable when JavaScript is disabled:
<script>if (top != self) top.location = location</script>
<noscript><div style="position:absolute;left:0;top:0;z-index:999;width:10000px;height:10000px;background-color:black;color:white;">This page requires JavaScript</div></noscript>
Of course, that breaks the site for anyone surfing without JavaScript.
- Bil
More information about the whatwg
mailing list