Slashdot Mirror

← Back to Stories (view on slashdot.org)

HTML Frames Considered Harmful

Posted by timothy on from the also-ugly dept.

DLWormwood writes "Secunia has recently issued yet another advisory about web browser vulnerabilities, this time concerning the use of frames in web pages. Originally discovered to be in Internet Explorer, the security experts apparently worked overtime just to make sure the same "flaw" is found in just about every other browser out there. Doesn't this notice simply complain about a specified design feature of frames? (Note their official "advice": "Do not visit or follow links from untrusted websites.")"

5 of 104 comments (clear)

  1. Frames are evil, anyway by Anonymous Coward · · Score: 5, Insightful


    Since when was this news?!

    Frames are evil. Frames supposedly make the webdesigners job easier, but they cause an increased maintenance overhead. Frames supposedly creates a better interface to a website for the end-user, but they cause severe usability problems.

    Its common to see frames abused by newbies in implementing a left-hand menu and top banner layout with the mistaken belief its easier to maintain and makes downloading quicker. There are numerous problems this implementation raises typically related to the paradox it creates.

    To make-up for the usability deficiencies, many framed websites use some client-side techniques which cause further maintenance nightmares. There is a definite usability versus maintenance trade-off with frames, which make it a difficult technology to manage well. The alternatives available have none of these drawbacks, thus frames are a sub-optimal, and typically backward solution.

    Most of this "usability"-hacking of framed websites results in a complete dependancy on Javascript - another evil. Considering the on-going problems related to Windows lax security model (in the OS, Outlook and Internet Explorer) and the exponential growth of scripted worms and viruses (Melissa, Love Bug, Kornikova, SirCam, Code Red, Code Red II, Code Blue, Nimda), this convinces a greater number of surfers switching off Javascript entirely, which in turn causes a framed and scripted site to die a rather horrible death in the browser.

    1. Re:Frames are evil, anyway by lphuberdeau · · Score: 4, Insightful

      I have to agree that in common websites, frames are quite useless and ugly. All they really do is make nagivation a hell, but there are situations where frames are useful. I work on internally-used applications which sometimes have a web interface, and the users actually asked to have frames available in some cases. Frames can fill the gap between the usability of a standalone application and flexibility of the web.

      It might seem useless, but the simple fact that frames can be resized does suit most needs. Users can decide which section of the content is most useful to them. A common usage is when the users actually need to compare documents. Having both side by side can be nice.

      Just imagine Java's documentation without the frameset, it would really be a pain to search in. The class list is very long to load, and I'm quite happy they didn't simply include it in all pages.

      Frames are not evil, neither is JavaScript, it just depends on how it's used. Using frames for a menu is not a good thing, and using frames for a banner is simply worst. Those kind of usage really gave frames a bad reputation because they simply reduce the amount of usable space on the monitor. JavaScript used for pop-ups or ugly 'eye-candy' stuff really also is an error, but JavaScript can enable some real dynamism in a form and actually allow to save a lot of time in the processing. Isn't filling country, state and city automatically nice when a user enters a zip code?

      There used to be problems with JavaScript and browser compatibility, but it's not that bad anymore. Of course, IE simply won't support everything, but there are always workarounds.

      Really, those things are only evil if you're a designer. When you need to build an application that people will actually use and need to be productive, you need to look over those things to see if they could make the entire application better. Just don't abuse.

      --
      Qui ne va pas à la chasse n'a pas de gibier
      PHP Queb
  2. Parent-child window links by 0x0d0a · · Score: 5, Interesting

    Really, it sucks that there's no visual association between child and parent windows (like a string attaching them, or something). If a dialog comes up from a Javascript, how are you to know what frame it belongs to?

    The idea up throwing up dialogs really predates the need to provide a trusted interface to the user.

    --
    May we never see th
  3. The report by k4_pacific · · Score: 5, Funny

    Type: Spoofing
    Exploit: Local
    Effects: All browsers

    Description:
    A 6 year old vulnerability has been discovered in multiple browsers, allowing malicious people to spoof the content of websites.

    The problem is that the browsers don't check if a piece of black electrical tape is on the screen covering the address bar, which prevents the user from identifying the source of content in the browser window.

    Successful exploitation allows a malicious website to load arbitrary content with its source masked by the black tape. The user cannot know if this is a trusted site.

    Solution:
    Remove the piece of electrical tape from the screen. Windex may be necessary to clean up afterwards.

    --
    Unknown host pong.
  4. Fixed in Mozilla 1.7 and Firefox 0.9 by jesser · · Score: 5, Informative

    Lorenzo Colitti and I found the same hole several weeks ago, independently of Mark Laurence. I reported it to mozilla.org on June 11 and to Microsoft and Opera on June 16. I got different results from each browser maker:

    Mozilla (bugzilla.mozilla.org 246448) Fixed on June 14. Firefox 0.9 released with the fix June 14. Mozilla 1.7 released with the fix June 17. Opera (bugs.opera.com 145283) No response. Microsoft On June 21, I received an e-mail containing the following: "... is by design. To prevent this behavior, set the 'Navigate sub-frames across different domains' zone option to Prompt or disable in the Internet zone. We are trying to get this fixed in Longhorn ... on getting this blocking on by default in XP SP2 but blocking these types of navigations is an app compatibility issue on many sites." I usually don't get any response from Microsoft when I report security holes to them; I think I only got a response this time because I used my employer's premier support contract with Microsoft.

    Another cross-browser security hole I found (bugzilla.mozilla.org 162020) got similar responses from each browser maker: fixed in Mozilla 1.7 and Firefox 0.9; no response from Opera; confusing statement from Microsoft mentioning XP SP2. 162020 is an arbitrary code execution hole.

    --
    The shareholder is always right.