HTML Frames Considered Harmful

← Back to Stories (view on slashdot.org)

HTML Frames Considered Harmful

Posted by timothy on Thursday July 1, 2004 @06:21AM from the also-ugly dept.

DLWormwood writes "Secunia has recently issued yet another advisory about web browser vulnerabilities, this time concerning the use of frames in web pages. Originally discovered to be in Internet Explorer, the security experts apparently worked overtime just to make sure the same "flaw" is found in just about every other browser out there. Doesn't this notice simply complain about a specified design feature of frames? (Note their official "advice": "Do not visit or follow links from untrusted websites.")"

32 of 104 comments (clear)

Min score:

Reason:

Sort:

Frames are evil, anyway by Anonymous Coward · 2004-07-01 06:24 · Score: 5, Insightful

Since when was this news?!

Frames are evil. Frames supposedly make the webdesigners job easier, but they cause an increased maintenance overhead. Frames supposedly creates a better interface to a website for the end-user, but they cause severe usability problems.

Its common to see frames abused by newbies in implementing a left-hand menu and top banner layout with the mistaken belief its easier to maintain and makes downloading quicker. There are numerous problems this implementation raises typically related to the paradox it creates.

To make-up for the usability deficiencies, many framed websites use some client-side techniques which cause further maintenance nightmares. There is a definite usability versus maintenance trade-off with frames, which make it a difficult technology to manage well. The alternatives available have none of these drawbacks, thus frames are a sub-optimal, and typically backward solution.

Most of this "usability"-hacking of framed websites results in a complete dependancy on Javascript - another evil. Considering the on-going problems related to Windows lax security model (in the OS, Outlook and Internet Explorer) and the exponential growth of scripted worms and viruses (Melissa, Love Bug, Kornikova, SirCam, Code Red, Code Red II, Code Blue, Nimda), this convinces a greater number of surfers switching off Javascript entirely, which in turn causes a framed and scripted site to die a rather horrible death in the browser.
1. Re:Frames are evil, anyway by ericspinder · 2004-07-01 06:57 · Score: 3, Insightful
  
  the mistaken belief its easier to maintain and makes downloading quicker.
  It does make downloading successive pages quicker, but I don't know anybody at 14.4K, so it doesn't make anywhere near the difference that it used to. It helps download speed, if you have rollover image based navigation (really a mistake, but sometimes you don't have a choice). Also, before the ubiquiness of the Application server it was either use JavaScript Objects kept in a hidden frame (or what was later called a 'pop-under') or roll you own CGI session mgmt.
  However, you are right bout the need for usuability hacks with frames, just getting the back button to work right is a real pain. But, I disagree about JavaScript being 'Evil', it's a tool which is particularly well suited for client side actions. I have used JavaScript recently to re-order a list rather than redoing the query, it's much faster than any of the alternatives. If you want to surf the net with JavaScipt turned off, that's your business. Now I avoid frames, unless I am told that is how it will be, but JavaScript is still very useful, especially combined with CSS (aka DHTML)
  The "lax" windows security model and the viruses you mention may be issues, but they have nothing to do with this issue. It's like saying: "Becuase of the war in Iraq, and the growth of fungus, You should only have salad at McDonalds', because it's better for you, QED."
  
  --
  The grass is only greener, if you don't take care of your own lawn.
2. Re:Frames are evil, anyway by lphuberdeau · 2004-07-01 08:13 · Score: 4, Insightful
  
  I have to agree that in common websites, frames are quite useless and ugly. All they really do is make nagivation a hell, but there are situations where frames are useful. I work on internally-used applications which sometimes have a web interface, and the users actually asked to have frames available in some cases. Frames can fill the gap between the usability of a standalone application and flexibility of the web.
  
  It might seem useless, but the simple fact that frames can be resized does suit most needs. Users can decide which section of the content is most useful to them. A common usage is when the users actually need to compare documents. Having both side by side can be nice.
  
  Just imagine Java's documentation without the frameset, it would really be a pain to search in. The class list is very long to load, and I'm quite happy they didn't simply include it in all pages.
  
  Frames are not evil, neither is JavaScript, it just depends on how it's used. Using frames for a menu is not a good thing, and using frames for a banner is simply worst. Those kind of usage really gave frames a bad reputation because they simply reduce the amount of usable space on the monitor. JavaScript used for pop-ups or ugly 'eye-candy' stuff really also is an error, but JavaScript can enable some real dynamism in a form and actually allow to save a lot of time in the processing. Isn't filling country, state and city automatically nice when a user enters a zip code?
  
  There used to be problems with JavaScript and browser compatibility, but it's not that bad anymore. Of course, IE simply won't support everything, but there are always workarounds.
  
  Really, those things are only evil if you're a designer. When you need to build an application that people will actually use and need to be productive, you need to look over those things to see if they could make the entire application better. Just don't abuse.
  
  --
  Qui ne va pas à la chasse n'a pas de gibier
  PHP Queb
3. Re:Frames are evil, anyway by Anonymous Coward · 2004-07-01 10:28 · Score: 2, Interesting
  
  with the mistaken belief ...[it] makes downloading quicker
  
  Umm, that's not a mistaken belief. In fact, you'd have to try really REALLY hard to make it not true. I get sick of sites wiping the entire screen only to reload the exact same HTML for their "menu" every time you open a different option. Frames are not evil unless the user is an idiot, and a huge portion of internet users are still using 56k or slower modems.
  
  I get really sick of this, actually. One usability expert says frames are bad because they confuse a few people, and everyone just repeats it as if it were gospel, not bothering to think about the benefits that can apply. Frames are 100% non-evil when used well.
  
  What's evil is including 20k of "menu code" on every fucking page.
4. Re:Frames are evil, anyway by lphuberdeau · 2004-07-01 12:08 · Score: 2, Informative
  
  Depends on what the scope is, and you don't need to load everything in the first place anyway.
  
  I'll just use an example from Frank Boumphrey (Source: http://conf.phpquebec.org/main.php/en/cdrom2004/se ssion#3), this system was used for an hospital, only the local/frequent zip codes were sent to the client in the first place. Once again, this was for an internal application, but it can really apply anywhere.
  
  If sending the entire list is not an option, it's still possible to get the page to go fetch the information directly using Mozilla's XMLHttpRequest class or IE's HTTPREQUEST ActiveX component. (Well explained here: http://www.phppatterns.com/index.php/article/artic leview/82/1/2/).
  
  Those features are quite obscur but have been around for quite a while now (years). Most browsers actually support it. And for the other ones, they can still type the entire thing.
  
  I hope these details answered your questions.
  
  --
  Qui ne va pas à la chasse n'a pas de gibier
  PHP Queb
no posts, already slashdotted by danguyf · 2004-07-01 06:26 · Score: 3, Funny

I clicked "Vulnerabilities" in Secunia's menu frame and now the site won't come up... Which is the greater danger, frames or the slashdot effect?
Parent-child window links by 0x0d0a · 2004-07-01 06:26 · Score: 5, Interesting

Really, it sucks that there's no visual association between child and parent windows (like a string attaching them, or something). If a dialog comes up from a Javascript, how are you to know what frame it belongs to?

The idea up throwing up dialogs really predates the need to provide a trusted interface to the user.

--
May we never see th
1. Re:Parent-child window links by ZigMonty · 2004-07-02 14:52 · Score: 2, Interesting
  
  This is exactly what Apple fixed with "Sheets": a child window slides down from the title bar of the parent and remains attached.
Not a bug, a feature by Twirlip+of+the+Mists · 2004-07-01 06:26 · Score: 3, Interesting

It seems to me that the whole premise behind this so-called vulnerability is wrong. Frames and windows don't have owners, so there's nothing for the browser to verify.

So yeah, I think the "a specified design feature of frames" thing is pretty close to the truth.

--

I write in my journal
1. Re:Not a bug, a feature by bentcd · 2004-07-01 07:47 · Score: 3, Interesting
  
  It doesn't rely on Javascript; as far as I can tell it uses straight HTML tags to do its thing. This means that even the paranoid ones such as myself are vulnerable to this sort of attack. I tend to find that interesting in and of itself :-)
  
  --
  sigs are hazardous to your health
2. Re:Not a bug, a feature by Matthew+Weigel · 2004-07-01 09:02 · Score: 2, Informative
  
  Parent window? Child window?
  Different windows. Open a new copy of your browser, doesn't matter how...
  This is a vulnerability because no matter how separate the user tries to keep two windows (for instance, using a bookmark to open ImportantBanking.com rather than clicking on a link to ImportantBanking.com from an untrusted external website), an untrusted external website can change the content in a frame of the ImportantBanking.com window.
  
  --
  --Matthew
CSS by Joe+the+Lesser · 2004-07-01 06:29 · Score: 3, Informative

My IT professors beat into my brain that all formatting that even remotely resembles frames should be done with CSS(Cascading Style Sheets) positioning.

--
"I only speak the truth"
Karma: null(Mostly affected by an unassigned variable)
1. Re:CSS by NutscrapeSucks · 2004-07-01 07:19 · Score: 2, Insightful
  
  This is true for the most part. However sometimes you want content to stay on the page without doing a reload (perhaps there's a long database query or something). In that case frames/iframes are pretty much your only choice.
  
  --
  Whenever I hear the word 'Innovation', I reach for my pistol.
2. Re:CSS by bofkentucky · 2004-07-01 07:28 · Score: 2, Informative
  
  or tags to include staticly generated content without aditional load on the server.
  
  --
  09f911029d74e35bd84156c5635688c0
3. Re:CSS by The+Mayor · 2004-07-01 08:30 · Score: 3, Informative
  
  In addition to using the tag, which is available only to IE users, you can also use tags and issuing requests to a hidden iframe that posts the results back to the parent window. Using the div tag approach, of course, still requires an iframe, but at least it's cross platform.
  
  --
  --Be human.
4. Re:CSS by bofkentucky · 2004-07-01 09:53 · Score: 2, Informative
  
  Actually it is the reverse, NS7 and Moz1.8a1 render the object tag, which is valid HTML4.0 strict/XHTML1.0 strict perfectly
  
  NS4.80 does what it should when you can't render an object, render the content that the object surrounds
  
  IE6sp1 fails to render the object or the alternative, see for yourself here.
  
  --
  09f911029d74e35bd84156c5635688c0
Didn't work on me by MachDelta · 2004-07-01 06:29 · Score: 3, Informative

Meh, didn't work on me. I've got Firefox set up to open links in new tabs, so all that happened was the supposed "frame" from Secunia appeared in its own tab. The only way for a link to open within an existing tab is if A) I tell it so, and B) it originates from the same tab. So nyeh!
1. Re:Didn't work on me by TulioSerpio · 2004-07-01 07:40 · Score: 3, Informative
  
  The site says Firefox 0.9 is not affected.
  
  --
  I'm from Argentina: Tango, Asado, Mate, Gaucho, Maradona, YPF
Fortunately, not every browser... by Anonymous Coward · 2004-07-01 06:29 · Score: 3, Funny

Those of use using the Contiki web browser as our primary browser are still safe! Phew!
Wasted time. by BrookHarty · 2004-07-01 06:33 · Score: 3, Informative

I'm sitting here trying to get this to work on IE, Mozilla and Firefox then I read the bottom of the page.

The following browsers are not affected:
* Mozilla Firefox 0.9 for Windows
* Mozilla Firefox 0.9.1 for Windows
* Mozilla 1.7 for Windows
* Mozilla 1.7 for Linux

All my browsers are allready patched! Even IE was patched.
1. Re:Wasted time. by stienman · 2004-07-01 07:53 · Score: 2, Informative
  
  It worked on my Mozilla 1.7
  Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040514
  
  -Adam
The report by k4_pacific · 2004-07-01 06:38 · Score: 5, Funny

Type: Spoofing
Exploit: Local
Effects: All browsers

Description:
A 6 year old vulnerability has been discovered in multiple browsers, allowing malicious people to spoof the content of websites.

The problem is that the browsers don't check if a piece of black electrical tape is on the screen covering the address bar, which prevents the user from identifying the source of content in the browser window.

Successful exploitation allows a malicious website to load arbitrary content with its source masked by the black tape. The user cannot know if this is a trusted site.

Solution:
Remove the piece of electrical tape from the screen. Windex may be necessary to clean up afterwards.

--
Unknown host pong.
No Kidding! by blunte · 2004-07-01 06:39 · Score: 2, Funny

Here I am feeling like a loser because I can't make the bug work.

"Damnit! Even the stupid bugs and exploits don't work on this crappy machine!"

--
.sigs are for post^Hers.
IE with proper security settings not affected. by bentfork · 2004-07-01 06:42 · Score: 3, Informative

This is the same problem that is being exploited by banner ads setting cookies across domains.
If you go to security settings in IE ( I've checked IE 6.x ) click custom level, and set "Navigate sub-frames across different domains" to prompt. You will get a nice little pop up warning.
Now I can visit unsafe websites like microsoft.con
a null issue by TheSHAD0W · 2004-07-01 07:24 · Score: 2, Insightful

There really isn't much difference between a transparent frame with a Java app intercepting access to a legitimate web page, and someone's creating a mock-up of the legitimate page; either way, the only real way to tell is the URL displayed in the address bar. Any real solution for one should work for the other.
Fixed in Mozilla 1.7 and Firefox 0.9 by jesser · 2004-07-01 07:24 · Score: 5, Informative

Lorenzo Colitti and I found the same hole several weeks ago, independently of Mark Laurence. I reported it to mozilla.org on June 11 and to Microsoft and Opera on June 16. I got different results from each browser maker:
Mozilla (bugzilla.mozilla.org 246448) Fixed on June 14. Firefox 0.9 released with the fix June 14. Mozilla 1.7 released with the fix June 17. Opera (bugs.opera.com 145283) No response. Microsoft On June 21, I received an e-mail containing the following: "... is by design. To prevent this behavior, set the 'Navigate sub-frames across different domains' zone option to Prompt or disable in the Internet zone. We are trying to get this fixed in Longhorn ... on getting this blocking on by default in XP SP2 but blocking these types of navigations is an app compatibility issue on many sites." I usually don't get any response from Microsoft when I report security holes to them; I think I only got a response this time because I used my employer's premier support contract with Microsoft.
Another cross-browser security hole I found (bugzilla.mozilla.org 162020) got similar responses from each browser maker: fixed in Mozilla 1.7 and Firefox 0.9; no response from Opera; confusing statement from Microsoft mentioning XP SP2. 162020 is an arbitrary code execution hole.

--
The shareholder is always right.
1. Re:Fixed in Mozilla 1.7 and Firefox 0.9 by jesser · 2004-07-01 09:47 · Score: 2, Interesting
  
  When you report security bugs to Microsoft, how do you report them? My methods are in http://www.squarefree.com/archives/000374.html and a comment on the same page.
  
  --
  The shareholder is always right.
This may be exploited and is a real threat by aWalrus · 2004-07-01 07:34 · Score: 3, Informative

Although it's true that this is "working as designed", it does present an interesting exploit scenario. Let's assume you visit evilguy's site, supposed to be a financial portal. From there, a list of links direct you to the (framed) pages of banks where you can run your operations.

Now, evilguy's site has javascript code running that will detect when one of the interesting frames is available (frames that contain login info). It means that you're trying to log into your account at one of the bank sites. What it does is serve you a facsimile that looks exactly like the original login screen, except this one sends the info to evilguy's site.

When your login info is in evilguy's database, he just sends it to the bank and replaces the frame again with the content the bank returned. Voila! Successfully executed framejacking to invisibly steal your login info.

This might be serious.

--
Overcaffeinated. Angry geeks.
1. Re:This may be exploited and is a real threat by aWalrus · 2004-07-01 09:31 · Score: 2, Interesting
  
  Except where you can do this with real sites, without the need to spoof a whole site. If the *real* site uses frames in the design, you can just change that frame, not the whole site. The "link list" I suggested was just to increase the likelihood that the sites in question are opened.
  
  --
  Overcaffeinated. Angry geeks.
Re:"discovery" after fix!? by jesser · 2004-07-01 08:50 · Score: 2, Informative

Several security holes have been fixed since Mozilla 1.4, including an arbitrary code execution hole. Please upgrade to Mozilla 1.7 or Firefox 0.9.

Security holes are discovered and fixed in web browsers often. To be safe with any browser, you should upgrade when a new version is released, regardless of whether the release is accompanied by a security advisory regarding older versions.

--
The shareholder is always right.
It Does not affect FireFox 0.9.1 by freakyfreak · 2004-07-01 09:03 · Score: 2, Interesting

I just ran their test and it did not work on me. It loaded the page in a new tab instead of the MSN frame. I have Tabbed Browser Extensions installed with nearly everything set to open in a new tab.

I'm not sure what setting it is. I've done everything but disable the extension and it still opens in a new tab instead of the frame. So looks like they did not do very extensive testing.

I also tried it on a Windows 98 computer with a fresh install of FireFox 0.9.1 with no extensions installed and it doesn't work again. When I click on the link to open the test page it just does nothing. I tried it with the msn site opened in a new window, a new tab and a new tab in a seperate window. Still nada.

It looks like FireFox 0.9.1 is not affected. Can anyone else reproduce my results?
Re:"discovery" after fix!? by jesser · 2004-07-01 09:51 · Score: 2, Informative

I thought Mozilla [1.4.x] was the "supported" version that recieved security updates?

It was, until Mozilla 1.7 was released. Mozilla 1.7 is the new stable branch. Don't expect more 1.4.x releases.

--
The shareholder is always right.