Comments on: iframes are evil http://www.thespanner.co.uk/2007/09/09/iframes-are-evil/ A tool for designers dealing with programmers dealing with designers... Wed, 09 Jul 2008 02:56:06 +0000 http://wordpress.org/?v=2.5.1 By: Gareth Heyes http://www.thespanner.co.uk/2007/09/09/iframes-are-evil/#comment-589 Gareth Heyes Mon, 10 Sep 2007 10:03:43 +0000 http://www.thespanner.co.uk/2007/09/09/iframes-are-evil/#comment-589 I'm so sorry about the code in comments, I've finally taken the time to update my security plugin and encoded the correct characters. You should be able to post code on the blog now without it being stripped out. I’m so sorry about the code in comments, I’ve finally taken the time to update my security plugin and encoded the correct characters. You should be able to post code on the blog now without it being stripped out.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/09/09/iframes-are-evil/#comment-580 Gareth Heyes Mon, 10 Sep 2007 07:25:34 +0000 http://www.thespanner.co.uk/2007/09/09/iframes-are-evil/#comment-580 @Evert Yeah I wish that would happen sooner rather than later. @Evert

Yeah I wish that would happen sooner rather than later.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/09/09/iframes-are-evil/#comment-579 Gareth Heyes Mon, 10 Sep 2007 07:24:12 +0000 http://www.thespanner.co.uk/2007/09/09/iframes-are-evil/#comment-579 Yeah I know I'm sorry. I didn't write the code on this blog, I'm gonna sort it out. Yeah I know I’m sorry. I didn’t write the code on this blog, I’m gonna sort it out.

]]> By: digi7al64 http://www.thespanner.co.uk/2007/09/09/iframes-are-evil/#comment-578 digi7al64 Mon, 10 Sep 2007 04:35:59 +0000 http://www.thespanner.co.uk/2007/09/09/iframes-are-evil/#comment-578 meh - sorry but no matter what i do it just doesn't render right. Honestly no offence to yourself Gareth but this sucks, we can post comments that use greater or less then signs. i mean how hard is it to encode em rather then delete them? meh - sorry but no matter what i do it just doesn’t render right.

Honestly no offence to yourself Gareth but this sucks, we can post comments that use greater or less then signs. i mean how hard is it to encode em rather then delete them?

]]> By: digi7al64 http://www.thespanner.co.uk/2007/09/09/iframes-are-evil/#comment-577 digi7al64 Mon, 10 Sep 2007 04:33:54 +0000 http://www.thespanner.co.uk/2007/09/09/iframes-are-evil/#comment-577 oops. forgot to wrap the code false true false true false true oops. forgot to wrap the code

false
true

false
true

false
true

]]> By: digi7al64 http://www.thespanner.co.uk/2007/09/09/iframes-are-evil/#comment-576 digi7al64 Mon, 10 Sep 2007 04:30:45 +0000 http://www.thespanner.co.uk/2007/09/09/iframes-are-evil/#comment-576 the problem with your solution is that if a page is hacked via persistant xss then "" could be overwritten or excluded. What we need is a new document that resides on servers that dictate was rules the browser should follow. similar to crossdomain.xml but with more clout true false true false true false This way by setting flags for true or false based on the domain you eleminate a lot of the remote inclusions that cause issues the problem with your solution is that if a page is hacked via persistant xss then “” could be overwritten or excluded. What we need is a new document that resides on servers that dictate was rules the browser should follow. similar to
crossdomain.xml but with more clout

true
false

true
false

true
false

This way by setting flags for true or false based on the domain you eleminate a lot of the remote inclusions that cause issues

]]> By: Evert http://www.thespanner.co.uk/2007/09/09/iframes-are-evil/#comment-574 Evert Sun, 09 Sep 2007 23:21:32 +0000 http://www.thespanner.co.uk/2007/09/09/iframes-are-evil/#comment-574 I'm just waiting for the day when we can include a security profile per site, allowing use to disable javascript altogether, iframes, javascript accessing cookies, etc, etc.. I’m just waiting for the day when we can include a security profile per site, allowing use to disable javascript altogether, iframes, javascript accessing cookies, etc, etc..

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/09/09/iframes-are-evil/#comment-569 Gareth Heyes Sun, 09 Sep 2007 15:32:12 +0000 http://www.thespanner.co.uk/2007/09/09/iframes-are-evil/#comment-569 Yeah that would be a fantastic feature in noscript, also removing the visited attribute in CSS, window.open etc Yeah that would be a fantastic feature in noscript, also removing the visited attribute in CSS, window.open etc

]]> By: Bipin 3~ Upadhyay http://www.thespanner.co.uk/2007/09/09/iframes-are-evil/#comment-568 Bipin 3~ Upadhyay Sun, 09 Sep 2007 12:49:24 +0000 http://www.thespanner.co.uk/2007/09/09/iframes-are-evil/#comment-568 It's a strange coincidence (though not such a big one for the world to celebrate :P). I had some similar feelings after looking at "several" attacks possible using iframes (including the CSS ones). The most prominent being the recent "Bank Of India" hack, where the attackers used iframes to download malware on the users system (please correct me if I am mistaken). I was in fact thinking of initiating a discussion thread on Slackers and..... go the extent of requesting Maone to include an option to disable iframes in NoScript. :) IMHO, that's the only way I see currently to save oneself in these CSS and drive-by download attack scenarios. It’s a strange coincidence (though not such a big one for the world to celebrate :P).
I had some similar feelings after looking at “several” attacks possible using iframes (including the CSS ones). The most prominent being the recent “Bank Of India” hack, where the attackers used iframes to download malware on the users system (please correct me if I am mistaken).
I was in fact thinking of initiating a discussion thread on Slackers and….. go the extent of requesting Maone to include an option to disable iframes in NoScript. :)
IMHO, that’s the only way I see currently to save oneself in these CSS and drive-by download attack scenarios.

]]>