tags:

views:

66

answers:

3
+6  Q: 

Security implications of allowing framing?

I notice that when I try to access Stackoverflow through the reddit toolbar, I get a popup that says "For security reasons, framing is not allowed". See here for an example.

What exactly are those security reasons?

I realize that this might be a question for meta, but it is really more of a general web security question, so I'm giving it a shot here.

Thanks.

+1  A: 

You can check the story on that in here.

EDIT:

Ok, so quoting from the link the problem with framing is that it's the first step to clickjacking. How is that accomplished? You can have an apparently harmless page with links which have on top of it a frame with full transparency that was carefully positioned so that when you click the links of the page, you'll be clicking links or buttons of the framed page. Although you can't see the frame (due to full transparency), your clicks will be caught by it. This results in, while the user is lead to thinking that he's just navigating on a random page, he may be actually changing his twitter status, sending emails, doing something on facebook, clicking a paypall "Yes please donate it all" button, ... imagination is the limit.

Miguel Ventura  2010-01-23 00:45:17
Ok, I just read that. It doesn't answer the question. In fact, it makes things more confusing: "If an evil website decides it's going to frame your website, you will be framed. Period. Frame-busting is nothing more than a false sense of security; it doesn't work."If that is the case, why do it at all? Furthermore, the target of the attack is not necessarily the site being framed, it could be any site. So again, why bother busting the frame?
jedberg  2010-01-23 00:51:29
A: 

Apparently there is a tiny chance of a possible click-jack attack as demonstrated here:

http://dsandler.org/wp/archives/2009/02/12/dontclick

So I guess it kinda makes sense, but it is awfully inconvenient.

jedberg  2010-01-23 01:08:22
A: 

To protect its users from click jacking attacks. In simple words click jacking works like this:

  • The attacker hosts the malicious html file
  • This file loads the 'attacked' website in the background using a frame and by overlaying elements on top of the 'attacked' website it tries to trick the users into clicking something they didn't want to.

If an evil website decides it's going to frame your website, you will be framed. Period

Wrong. Mechanisms like the one implemented here in stackoverflow protect websites from being loaded inside another possibly malicious page. This way the site protects its users against click jacking attacks.

f that is the case, why do it at all? Furthermore, the target of the attack is not necessarily the site being framed, it could be any site. So again, why bother busting the frame?

The frame is used to load the 'victim's website inside a page that will try to trick the users. Busting the frame means that the site is blocking these possible click jacking attacks. Or at least adding an extra layer of security since these 'filters' can also be bypassed.

Read the original research paper about click jacking

pcp  2010-01-28 08:15:38

related questions

What are the potential pitfalls of using HTML Frames for templating?
Resizing an iframe based on content
Running Google Analytics in iframe?
"Access is denied" error on accessing iframe document object
Googlebot + IFrames ?
Javascript Iframe innerHTML
Mouse Scroll Wheel and IFRAME
Options for Dynamic content in ASP.Net
Is there a way to get the parent URL from an Iframe's content?
How to auto-focus RTE editor inside firefox?
Accessing Domain Cookies within an iFrame on Internet Explorer
Are iframes a terrible idea?
Silverlight app and an iframe co-existing on the same page
What's the best way to reload a iframe using javascript?
Dreaded iframe horizontal scroll bar can't be removed in IE?
Remove border from IFrame
iframe wikipedia article without the wrapper
<iframe> - How to show the whole height of referenced page?
Embed asp page without iframe
Can I prevent user pasting Javascript into Design Mode IFrame?
How do I get the current location of an iframe?
Retrieving HTTP status code from loaded iframe with Javascript
Making an iframe take vertical space
iFrame Best Practices
Options for Google Maps over SSL