Comments on: IFrames security summary http://www.thespanner.co.uk/2007/10/24/iframes-security-summary/ A tool for designers dealing with programmers dealing with designers... Mon, 15 Mar 2010 06:32:06 +0000 http://wordpress.org/?v=2.6.2 By: Gareth Heyes http://www.thespanner.co.uk/2007/10/24/iframes-security-summary/#comment-1457 Gareth Heyes Tue, 10 Feb 2009 00:08:14 +0000 http://www.thespanner.co.uk/2007/10/24/iframes-security-summary/#comment-1457 @Gunner The use of iframes on your web site is not a security risk as long as you are not referencing external sites. The point of this article was to highlight how iframes and their functionality can be used in ways in which wasn't intended @Gunner

The use of iframes on your web site is not a security risk as long as you are not referencing external sites.

The point of this article was to highlight how iframes and their functionality can be used in ways in which wasn’t intended

]]> By: Gunner http://www.thespanner.co.uk/2007/10/24/iframes-security-summary/#comment-1456 Gunner Mon, 09 Feb 2009 22:28:03 +0000 http://www.thespanner.co.uk/2007/10/24/iframes-security-summary/#comment-1456 I'm debating the use of iframes and security is my main concern. The iframe would reference other pages at our site not external pages. But I'm trying to figure out how using iframes on my site is a security risk. It seems that iframes themselves do not have security flaws. How would someone exploit an iframe on my site if my site is not compromised and I clean all user input of any html so they cannot inject an iframe. It seems to me some other aspect of a website has to fail before an iframe can be used in a malicious way. And in those cases it is not the site's iframes that are used, but iframes created by the attacker. Is there something I'm missing? I appreciate the article, just trying to make sure I understand iframes. I’m debating the use of iframes and security is my main concern. The iframe would reference other pages at our site not external pages. But I’m trying to figure out how using iframes on my site is a security risk. It seems that iframes themselves do not have security flaws. How would someone exploit an iframe on my site if my site is not compromised and I clean all user input of any html so they cannot inject an iframe. It seems to me some other aspect of a website has to fail before an iframe can be used in a malicious way. And in those cases it is not the site’s iframes that are used, but iframes created by the attacker. Is there something I’m missing? I appreciate the article, just trying to make sure I understand iframes.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/10/24/iframes-security-summary/#comment-1412 Gareth Heyes Thu, 15 Jan 2009 18:08:23 +0000 http://www.thespanner.co.uk/2007/10/24/iframes-security-summary/#comment-1412 @Bruce LOL are you a advertising network by any chance? If not explain why it is hogwash with some detailed examples. @Bruce LOL are you a advertising network by any chance? If not explain why it is hogwash with some detailed examples.

]]> By: Bruce http://www.thespanner.co.uk/2007/10/24/iframes-security-summary/#comment-1411 Bruce Thu, 15 Jan 2009 18:00:15 +0000 http://www.thespanner.co.uk/2007/10/24/iframes-security-summary/#comment-1411 I'm sorry but your iframes rant is pretty much all hogwash. You should stop with the spreading of this type of misinformation. All of those scenarios are quite childish and don't in any case define any real security threat. In fact all of the scenarios can be attempted with just straight html. There are millions of iframes in use today. there is no evidence that they are a heightened security risk. I’m sorry but your iframes rant is pretty much all hogwash. You should stop with the spreading of this type of misinformation. All of those scenarios are quite childish and don’t in any case define any real security threat. In fact all of the scenarios can be attempted with just straight html. There are millions of iframes in use today. there is no evidence that they are a heightened security risk.

]]> By: Sreekanth http://www.thespanner.co.uk/2007/10/24/iframes-security-summary/#comment-1318 Sreekanth Wed, 24 Sep 2008 06:09:38 +0000 http://www.thespanner.co.uk/2007/10/24/iframes-security-summary/#comment-1318 Great brief. I am a beginner and did not know all these things could be done. Great brief. I am a beginner and did not know all these things could be done.

]]> By: Bipin 3~ Upadhyay http://www.thespanner.co.uk/2007/10/24/iframes-security-summary/#comment-763 Bipin 3~ Upadhyay Sat, 27 Oct 2007 08:58:25 +0000 http://www.thespanner.co.uk/2007/10/24/iframes-security-summary/#comment-763 @Mat: Just to add to what Gareth said, you can use "security=restricted" parameter to bypass it in IE. http://crypto.stanford.edu/framebust/ @Mat:
Just to add to what Gareth said, you can use “security=restricted” parameter to bypass it in IE.
http://crypto.stanford.edu/framebust/

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/10/24/iframes-security-summary/#comment-761 Gareth Heyes Fri, 26 Oct 2007 10:31:17 +0000 http://www.thespanner.co.uk/2007/10/24/iframes-security-summary/#comment-761 Yep actually I do recommend that on my blog. Only downside is that with IE it is possible to get round it. Yep actually I do recommend that on my blog. Only downside is that with IE it is possible to get round it.

]]> By: mat http://www.thespanner.co.uk/2007/10/24/iframes-security-summary/#comment-760 mat Fri, 26 Oct 2007 10:05:17 +0000 http://www.thespanner.co.uk/2007/10/24/iframes-security-summary/#comment-760 Is a simple script like this one a good protection against iframe attacks : <script type="text/javascript"> if (top != self) top.location.href = location.href; </script> Thanks. Is a simple script like this one a good protection against iframe attacks :

<script type=”text/javascript”>
if (top != self)
top.location.href = location.href;
</script>

Thanks.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/10/24/iframes-security-summary/#comment-755 Gareth Heyes Wed, 24 Oct 2007 18:37:02 +0000 http://www.thespanner.co.uk/2007/10/24/iframes-security-summary/#comment-755 Thanks Marco :) Thanks Marco :)

]]> By: Marco Ramilli http://www.thespanner.co.uk/2007/10/24/iframes-security-summary/#comment-754 Marco Ramilli Wed, 24 Oct 2007 17:25:11 +0000 http://www.thespanner.co.uk/2007/10/24/iframes-security-summary/#comment-754 Yep, great brief Gareth. Thanks. Yep, great brief Gareth.
Thanks.

]]>