Comments on: CSS overlays and frame breakers http://www.thespanner.co.uk/2008/08/10/css-overlays-and-frame-breakers/ A tool for designers dealing with programmers dealing with designers... Fri, 10 Sep 2010 15:40:48 +0000 http://wordpress.org/?v=2.6.2 By: rvdh http://www.thespanner.co.uk/2008/08/10/css-overlays-and-frame-breakers/#comment-1283 rvdh Tue, 12 Aug 2008 05:33:58 +0000 http://www.thespanner.co.uk/?p=220#comment-1283 One problem though, the anti-csrf seems vulnerable to overwriting GLOBALS. I skimmed through the code, but I cannot find any GLOBALS protection that prevent GLOBALS from being overwritten though REQUEST, GET, COOKIE, and SESSION. Example: somescript.php?GLOBALS[foo]=bar One problem though, the anti-csrf seems vulnerable to overwriting GLOBALS. I skimmed through the code, but I cannot find any GLOBALS protection that prevent GLOBALS from being overwritten though REQUEST, GET, COOKIE, and SESSION.

Example:

somescript.php?GLOBALS[foo]=bar

]]> By: Gareth Heyes http://www.thespanner.co.uk/2008/08/10/css-overlays-and-frame-breakers/#comment-1280 Gareth Heyes Mon, 11 Aug 2008 12:50:37 +0000 http://www.thespanner.co.uk/?p=220#comment-1280 @Evert Interesting, could you provide a example of this? Are you saying it's possible to supply a browser security policy through http headers? @Evert

Interesting, could you provide a example of this? Are you saying it’s possible to supply a browser security policy through http headers?

]]> By: Evert http://www.thespanner.co.uk/2008/08/10/css-overlays-and-frame-breakers/#comment-1279 Evert Mon, 11 Aug 2008 12:38:13 +0000 http://www.thespanner.co.uk/?p=220#comment-1279 Note that you can get around the cookie-in-frames restriction by supplying a p3p header. Note that you can get around the cookie-in-frames restriction by supplying a p3p header.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2008/08/10/css-overlays-and-frame-breakers/#comment-1278 Gareth Heyes Mon, 11 Aug 2008 11:31:49 +0000 http://www.thespanner.co.uk/?p=220#comment-1278 frames and iframes can be used to fooling you into clicking something that isn't what you think it is. Using a frame breaker can prevent this sort of attack frames and iframes can be used to fooling you into clicking something that isn’t what you think it is. Using a frame breaker can prevent this sort of attack

]]> By: Johny http://www.thespanner.co.uk/2008/08/10/css-overlays-and-frame-breakers/#comment-1277 Johny Mon, 11 Aug 2008 10:33:04 +0000 http://www.thespanner.co.uk/?p=220#comment-1277 well frames are still alive? Thought i have to go to the waybackmachine if i would like to see. well frames are still alive? Thought i have to go to the waybackmachine if i would like to see.

]]>