Busting, and Fixing, Frame Busting 111
An anonymous reader writes "A study presented last week at the IEEE Web Security and Privacy workshop shows that frame busting code used at popular websites is easily circumvented. Frame busting is a widely used technique to prevent clickjacking attacks. The researchers propose better frame busting code and suggest that websites migrate to this new code."
Re:Better Yet (Score:1, Informative)
Even the Google Image searches - its annoying that I have to click on the image and then click on another one to get linked to the full size image.
Viola! [userscripts.org]
ERROR: HOTLINKING FORBIDDEN (Score:3, Informative)
Why not just make the image go straight to the image link, and put a URL under the image that goes to the page its hosted on. No more frames, and less hassle.
ERROR: HOTLINKING FORBIDDEN is why. At least loading the original page gives the browser a chance to load and cache the image on the page so that the first hit to the server has an acceptable Referer.
Same Origin Policy (Score:5, Informative)
Agreed, frames are the scourge of the web, obliterate them from the universe immediately.
Whereas a DIV that floats annoyingly around your page with content loaded from an external source is perfectly okay, because it's ... ? In the HTML spec ?
Unlike frames, the XMLHttpRequest to get the content into the DIV is restricted by the Same Origin Policy.
Re:Hmm ... (Score:4, Informative)
... hosted on a site that requires you allow Javascript just to read a static-looking page that only provides a summary and a hyperlink to another major malware vector - a PDF file.
They sure appear to use a lot of unnecessary and insecure crap to serve up an article about how everyone else's web designs suck.
Re:Same Origin Policy (Score:3, Informative)
Nope. Jquery isn't magic, it still follows the same rules under the hood, it is still using xmlhttprequest. The exception to the same origin policy for javascript code is you can load .js files from wherever, so the way around it is jsonp. See for example http://ecmanaut.blogspot.com/2006/01/jsonp-why-how.html [blogspot.com]