开发者

Security implications of allowing framing?

I notice that when I try to access Stackoverflow through the reddit toolbar, I get a popup that says "For security r开发者_如何学编程easons, framing is not allowed". See here for an example.

What exactly are those security reasons?

I realize that this might be a question for meta, but it is really more of a general web security question, so I'm giving it a shot here.

Thanks.


You can check the story on that in here.

EDIT:

Ok, so quoting from the link the problem with framing is that it's the first step to clickjacking. How is that accomplished? You can have an apparently harmless page with links which have on top of it a frame with full transparency that was carefully positioned so that when you click the links of the page, you'll be clicking links or buttons of the framed page. Although you can't see the frame (due to full transparency), your clicks will be caught by it. This results in, while the user is lead to thinking that he's just navigating on a random page, he may be actually changing his twitter status, sending emails, doing something on facebook, clicking a paypall "Yes please donate it all" button, ... imagination is the limit.


To protect its users from click jacking attacks. In simple words click jacking works like this:

  • The attacker hosts the malicious html file
  • This file loads the 'attacked' website in the background using a frame and by overlaying elements on top of the 'attacked' website it tries to trick the users into clicking something they didn't want to.

If an evil website decides it's going to frame your website, you will be framed. Period

Wrong. Mechanisms like the one implemented here in stackoverflow protect websites from being loaded inside another possibly malicious page. This way the site protects its users against click jacking attacks.

f that is the case, why do it at all? Furthermore, the target of the attack is not necessarily the site being framed, it could be any site. So again, why bother busting the frame?

The frame is used to load the 'victim's website inside a page that will try to trick the users. Busting the frame means that the site is blocking these possible click jacking attacks. Or at least adding an extra layer of security since these 'filters' can also be bypassed.

Read the original research paper about click jacking


Apparently there is a tiny chance of a possible click-jack attack as demonstrated here:

http://dsandler.org/wp/archives/2009/02/12/dontclick

So I guess it kinda makes sense, but it is awfully inconvenient.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜