Geek Answers Handbook

Security implications for resolving framing?

I notice that when I try to access Stackoverflow through the reddit toolbar, I get a pop-up that says, "For security reasons, framing is not allowed." See here for an example.

What exactly are these security considerations?

I understand that this may be a question for the meta, but it really is a more general security issue on the Internet, so I give him a chance to do it.

Thanks.

+7
security iframe
source share
3 answers

You can check out the story about it here .

EDIT:

So, referring to the link , the problem with cropping is that this is the first step to clickjacking . How it's done? You may have a seemingly innocuous page with links that have a frame with full transparency that has been carefully placed so that when you click on links to the page, you will click links or buttons on the page with the frame. Although you cannot see the frame (due to full transparency), your clicks will be caught by it. This leads to the fact that when a user thinks that he simply moves on a random page, he can actually change his Twitter status, send emails, do something on Facebook by clicking the "Yes, please donate everything" button ... imagination is the limit.

+1
source share

To protect your users from click blocking attacks. In simple words, clicking on a button works as follows:

  • The attacker places a malicious html file
  • This file loads the “attacked” website in the background using a frame, and by overlaying elements on top of the attacked website, it tries to trick users by clicking on what they did not want.

If an evil site decides that it is going to create your site, you will be framed. Period

Wrong. Mechanisms like the ones described here in stackoverflow protect websites from loading inside another, possibly malicious, page. Thus, the site protects its users from click blocking attacks.

f so, why do this at all? In addition, the purpose of the attack is not necessarily the creation of a site, it can be any site. So, why bother breaking a frame?

The frame is used to load the “sacrificial website inside the page, which will try to trick users. Busting frame means that the website blocks these possible attacks at the click of a button. Or, at least, add an additional level of security, since these“ filters ”can also be get around.

Read Original Click-Click Research Paper

+1
source share

There seems to be a tiny chance of a possible click attack, as shown here:

http://dsandler.org/wp/archives/2009/02/12/dontclick

So I think it makes sense, but it's terribly inconvenient.

0
source share

More articles:


All Articles