HTML Frames Considered Harmful

DLWormwood writes "Secunia has recently issued yet another advisory about web browser vulnerabilities, this time concerning the use of frames in web pages. Originally discovered to be in Internet Explorer, the security experts apparently worked overtime just to make sure the same "flaw" is found in just about every other browser out there. Doesn't this notice simply complain about a specified design feature of frames? (Note their official "advice": "Do not visit or follow links from untrusted websites.")"

Parent-child window links

[0x0d0a]

Really, it sucks that there's no visual association between child and parent windows (like a string attaching them, or something). If a dialog comes up from a Javascript, how are you to know what frame it belongs to?

The idea up throwing up dialogs really predates the need to provide a trusted interface to the user.

Re:Parent-child window links

[ZigMonty]

This is exactly what Apple fixed with "Sheets": a child window slides down from the title bar of the parent and remains attached.

Not a bug, a feature

[Twirlip+of+the+Mists]

It seems to me that the whole premise behind this so-called vulnerability is wrong. Frames and windows don't have owners, so there's nothing for the browser to verify.

So yeah, I think the "a specified design feature of frames" thing is pretty close to the truth.

Re:Not a bug, a feature

[bentcd]

It doesn't rely on Javascript; as far as I can tell it uses straight HTML tags to do its thing. This means that even the paranoid ones such as myself are vulnerable to this sort of attack. I tend to find that interesting in and of itself :-)

Never heard of Secunia till today.

Frames-based cross-browser security vulnerability, or self-promotional alarmist press release by heretofore unknown consultancy?

It Does not affect FireFox 0.9.1

[freakyfreak]

I just ran their test and it did not work on me. It loaded the page in a new tab instead of the MSN frame. I have Tabbed Browser Extensions installed with nearly everything set to open in a new tab.

I'm not sure what setting it is. I've done everything but disable the extension and it still opens in a new tab instead of the frame. So looks like they did not do very extensive testing.

I also tried it on a Windows 98 computer with a fresh install of FireFox 0.9.1 with no extensions installed and it doesn't work again. When I click on the link to open the test page it just does nothing. I tried it with the msn site opened in a new window, a new tab and a new tab in a seperate window. Still nada.

It looks like FireFox 0.9.1 is not affected. Can anyone else reproduce my results?

Re:This may be exploited and is a real threat

[aWalrus]

Except where you can do this with real sites, without the need to spoof a whole site. If the *real* site uses frames in the design, you can just change that frame, not the whole site. The "link list" I suggested was just to increase the likelihood that the sites in question are opened.

Re:Fixed in Mozilla 1.7 and Firefox 0.9

[jesser]

When you report security bugs to Microsoft, how do you report them? My methods are in http://www.squarefree.com/archives/000374.html and a comment on the same page.

Re:Frames are evil, anyway

with the mistaken belief ...[it] makes downloading quicker

Umm, that's not a mistaken belief. In fact, you'd have to try really REALLY hard to make it not true. I get sick of sites wiping the entire screen only to reload the exact same HTML for their "menu" every time you open a different option. Frames are not evil unless the user is an idiot, and a huge portion of internet users are still using 56k or slower modems.

I get really sick of this, actually. One usability expert says frames are bad because they confuse a few people, and everyone just repeats it as if it were gospel, not bothering to think about the benefits that can apply. Frames are 100% non-evil when used well.

What's evil is including 20k of "menu code" on every fucking page.