Slashdot Mirror


HTML Frames Considered Harmful

DLWormwood writes "Secunia has recently issued yet another advisory about web browser vulnerabilities, this time concerning the use of frames in web pages. Originally discovered to be in Internet Explorer, the security experts apparently worked overtime just to make sure the same "flaw" is found in just about every other browser out there. Doesn't this notice simply complain about a specified design feature of frames? (Note their official "advice": "Do not visit or follow links from untrusted websites.")"

3 of 104 comments (clear)

  1. Parent-child window links by 0x0d0a · · Score: 5, Interesting

    Really, it sucks that there's no visual association between child and parent windows (like a string attaching them, or something). If a dialog comes up from a Javascript, how are you to know what frame it belongs to?

    The idea up throwing up dialogs really predates the need to provide a trusted interface to the user.

  2. Not a bug, a feature by Twirlip+of+the+Mists · · Score: 3, Interesting

    It seems to me that the whole premise behind this so-called vulnerability is wrong. Frames and windows don't have owners, so there's nothing for the browser to verify.

    So yeah, I think the "a specified design feature of frames" thing is pretty close to the truth.

    --

    I write in my journal
    1. Re:Not a bug, a feature by bentcd · · Score: 3, Interesting

      It doesn't rely on Javascript; as far as I can tell it uses straight HTML tags to do its thing. This means that even the paranoid ones such as myself are vulnerable to this sort of attack. I tend to find that interesting in and of itself :-)

      --
      sigs are hazardous to your health