On May 19, 2010, at 8:14 PM, Collin Jackson wrote: > On Wed, May 19, 2010 at 4:57 PM, Adam Barth <[email protected]> wrote: > Virtually none of the JavaScript framebusting scripts used by web > sites are effective. > > Yes. If anyone would like to see more evidence of this, here's a recent study > of the Alexa Top 500 web sites. None of them were framebusting correctly with > JavaScript. > > http://w2spconf.com/2010/papers/p27.pdf This probably is not the right list for this but seems like the X-FRAME-OPTIONS http header could be strengthened by having the UA send all requests from pages that have the X-FRAME-OPTIONS to also containt either the X-FRAME-OPTIONS or another tag. One weakness pointed out in the paper is that proxies can strip the header. If the server doesn't see the header come back, it would know that it got stripped out and the request needs to be questioned. I don't know if there is a way to introduced "fake" http headers into requests or not. If there is, that would need to be addressed too.
Perry
