[whatwg] Prevent a document from being manipulated by a "top" document

Dennis Joachimsthaler dennis at efjot.de
Tue Aug 2 03:48:06 PDT 2011


Am 02.08.2011, 12:38 Uhr, schrieb Anne van Kesteren <annevk at opera.com>:

> On Tue, 02 Aug 2011 12:33:18 +0200, Dennis Joachimsthaler  
> <dennis at efjot.de> wrote:
>> I took a look at the X-Frame-Options and it only disallows displaying
>> in a frame, not forbidding only script access.
>
> What kind of script access is allowed cross-origin that you are  
> concerned about?
>
>

I agree that just disallowing that the page gets shown is one solution
but I am mainly concerned about reading important information out of
an iframe site.

Say, there's a site which uses an autologin facility to automatically
log their users in when the site is opened.

Malicious guy #1 prepares a site that loads the same site in an iframe.

The site with the precious information could now do either:

a) Use a javascript to try getting the "top" site off the iframe  
(top.location)
	If it's sandboxed and top.location is disallowed, this doesn't help.

b) Use the X-Frame-Options header
	Doesn't work in all browsers!
	(But seriously, this would be also a weakness of my proposition,
	so I give it that)
	Also what if he wants to allow his content framed?
	This is a use case when theres a cross-site login system using a frame.
	Of course the login provider does not want the site that uses it spies
	the login info from his clients.


I just had another idea: The same protection would apply to pop-ups.



More information about the whatwg mailing list