On Thu, 25 Sep 2008, Michal Zalewski wrote:
1) Create a HTTP-level (or HTTP-EQUIV) mechanism along the lines of
"X-I-Do-Not-Want-To-Be-Framed-Across-Domains: yes" that permits a web
page to inhibit frame rendering in potentially dangerous situations.
Pros:
- Super-simple
Cons:
- "Opt-in", i.e. currently vulnerable sites remain vulnerable unless
action is taken
Right. And really no different from:
<script>
if (window != window.top)
window.top.location.href = window.location.href;
</script>
in effect, right? This last already works in all browsers except IE,
which is presumably why IE felt the need to add another way to do it.
There _is_ an issue here if script is disabled, of course. In that
case, are there still situations where the parent frame can effectively
mislead the user?
2) Add a document-level mechanism to make "if nested <show this> else
<show that>" conditionals possible without Javascript. One proposal is
to do this on the level of CSS (by using either the media-dependency
features of CSS or special classes); another is to introduce new HTML
tags. This would make it possible for pages to defend themselves even
in environments where Javascript is disabled or limited.
Right, addressing the concern above. The pro is that it ties
information directly to the document. The con is that it's harder to
deploy site-wide.... Is that a concern?
-Boris
