iframes are evil
Sunday, 9 September 2007
If I was in charge of browser security I would completely remove them, they are just a bad idea, I predict a huge rise of iframe based attacks from browser exploits to CSRF. I know this won’t happen because there are too many people who use them and don’t understand the security implications.
So I suggest a HTML tag/Attribute to enable/disable the use of a iframe and by default access is not allowed. To enable their use on your site you would have to do the following in your HTML document e.g.
<html security="iframe">
This would allow the iframe on a per page basis and if the security attribute is not present it will not allow the iframe with a error message like “iframe not allowed on this page”.
No. 1 — September 9th, 2007 at 12:49 pm
It’s a strange coincidence (though not such a big one for the world to celebrate :P).
I had some similar feelings after looking at “several” attacks possible using iframes (including the CSS ones). The most prominent being the recent “Bank Of India” hack, where the attackers used iframes to download malware on the users system (please correct me if I am mistaken).
I was in fact thinking of initiating a discussion thread on Slackers and….. go the extent of requesting Maone to include an option to disable iframes in NoScript. 🙂
IMHO, that’s the only way I see currently to save oneself in these CSS and drive-by download attack scenarios.
No. 2 — September 9th, 2007 at 3:32 pm
Yeah that would be a fantastic feature in noscript, also removing the visited attribute in CSS, window.open etc
No. 3 — September 9th, 2007 at 11:21 pm
I’m just waiting for the day when we can include a security profile per site, allowing use to disable javascript altogether, iframes, javascript accessing cookies, etc, etc..
No. 4 — September 10th, 2007 at 4:30 am
the problem with your solution is that if a page is hacked via persistant xss then “” could be overwritten or excluded. What we need is a new document that resides on servers that dictate was rules the browser should follow. similar to
crossdomain.xml but with more clout
true
false
true
false
true
false
This way by setting flags for true or false based on the domain you eleminate a lot of the remote inclusions that cause issues
No. 5 — September 10th, 2007 at 4:33 am
oops. forgot to wrap the code
false
true
false
true
false
true
No. 6 — September 10th, 2007 at 4:35 am
meh – sorry but no matter what i do it just doesn’t render right.
Honestly no offence to yourself Gareth but this sucks, we can post comments that use greater or less then signs. i mean how hard is it to encode em rather then delete them?
No. 7 — September 10th, 2007 at 7:24 am
Yeah I know I’m sorry. I didn’t write the code on this blog, I’m gonna sort it out.
No. 8 — September 10th, 2007 at 7:25 am
@Evert
Yeah I wish that would happen sooner rather than later.
No. 9 — September 10th, 2007 at 10:03 am
I’m so sorry about the code in comments, I’ve finally taken the time to update my security plugin and encoded the correct characters. You should be able to post code on the blog now without it being stripped out.