On Wed, May 19, 2010 at 4:57 PM, Adam Barth w...@adambarth.com wrote:
Virtually none of the JavaScript framebusting scripts used by web
sites are effective.
Yes. If anyone would like to see more evidence of this, here's a recent
study of the Alexa Top 500 web sites. None of them were
On Thu, Sep 25, 2008 at 10:24 AM, Michal Zalewski [EMAIL PROTECTED] wrote:
Other quick fixes are easy to come up with, but in general prove problematic
in many usage scenarios. Based on our internal conversations, we have a
number of proposals for approaches to how to address the issue, along
On Thu, Sep 25, 2008 at 1:46 PM, Michal Zalewski [EMAIL PROTECTED] wrote:
7) New HTTP request header: Browser vendors seem to be moving away from
same origin restrictions towards verifiable origin labels that let the
site decide whether two security origins trust each other. Recent examples
Adam Barth, John Mitchell, and I have written an academic paper in
support of the Origin header as a CSRF defense:
http://crypto.stanford.edu/websec/csrf/
On Wed, Jul 9, 2008 at 6:59 PM, Jonas Sicking [EMAIL PROTECTED] wrote:
Hi All,
The Access-Control spec [1] adds an 'Origin' header that is
On Thu, Jul 3, 2008 at 12:59 AM, Kristof Zelechovski
[EMAIL PROTECTED] wrote:
Microsoft HTML engine supports the following syntax:
IFRAME src=about:HTML ./HTML .
I'd like to learn more about this. I wasn't able to reproduce it in
IE. Is it documented somewhere?
Collin Jackson
the message. There are a number of gotchas, which we
think we've handled correctly, but it's hard to be sure. In the end,
it would be much simpler and less error-prone to write this as a
single line of code:
frames[0].postMessage(message, theory.stanford.edu);
Collin Jackson
Here is a suggestion for a backwards-compatible addition to the
postMessage specification:
Currently postMessage is great for sending authenticated messages
between frames. The receiver knows exactly where each message came
from. However, it doesn't provide any confidentiality guarantees. When
On Oct 26, 2007 3:51 PM, Adam Barth [EMAIL PROTECTED] wrote:
Collin Jackson and I have been looking at the frame navigation policy
of various browsers and have a suggestion for improving the frame
navigation policy in the HTML5 spec. As we understand the spec [1],
it is stricter than IE7