Slashdot Mirror

← Back to Stories (view on slashdot.org)

Busting, and Fixing, Frame Busting

Posted by kdawson on from the don't-frame-me-bro dept.

An anonymous reader writes "A study presented last week at the IEEE Web Security and Privacy workshop shows that frame busting code used at popular websites is easily circumvented. Frame busting is a widely used technique to prevent clickjacking attacks. The researchers propose better frame busting code and suggest that websites migrate to this new code."

8 of 111 comments (clear)

  1. Better Yet by Monkeedude1212 · · Score: 5, Insightful

    Remove Frames altogether. I honestly can't think of a time where a frame has made anything on the web easier save for Kingdom of Loathing.

    Even the Google Image searches - its annoying that I have to click on the image and then click on another one to get linked to the full size image. Why not just make the image go straight to the image link, and put a URL under the image that goes to the page its hosted on. No more frames, and less hassle.

    Frames constantly break websites, cause vulnerabilities, and have been a nuisance since the 90's.

    Anybody here have anything to say in the defense of frames?

    1. Re:Better Yet by emurphy42 · · Score: 3, Insightful

      The issue here is someone else putting a frame around your page, e.g. to track traffic, or to add a toolbar at the top (e.g. "share this page with your contacts at Facebook/Digg/whatever"), or to clickjack (read that FA for an explanation), or probably other things.

    2. Re:Better Yet by morgan_greywolf · · Score: 2, Insightful

      Right. Frames are annoying, so we say 'hasta la vista' to them. DIVs are equally annoying, buh-bye. JavaScript, Flash, animated GIFs, all annoying, gone. Java applets -- damned annoying. Hey, by the time we're done, we'll all be running lynx!

      --
      My blog
    3. Re:Better Yet by Anonymous Coward · · Score: 2, Insightful

      I had it going for a solid 9 months, before some jerk opened my web site from a frame, executed some bad code and crashed my server. Fix it all up but for whatever reason he'd keep attacking it. Having school to deal with, I didn't put forth the effort to fight back or put security around it, so I stopped hosting it.

      The fault is not the frame. The fault is our by allowing some arbitrary code to crash your server. You was 14 at the time and making mistakes is normal. But the fault is not on the HTML spec, but solely on your bad coding.

    4. Re:Better Yet by The+MAZZTer · · Score: 2, Insightful

      Google Images uses frames in a useful fashion, imo.

    5. Re:Better Yet by riegel · · Score: 2, Insightful

      Can you say that a bit slower I am missing how/what happened that someone could execute code on your server using frames.

      --
      http://p8ste.com - Web based Clipboard
  2. 1995 called by Anonymous Coward · · Score: 1, Insightful

    They want their frames back.

  3. "Better" code fails if javascript is disabled by ChaosDiscord · · Score: 2, Insightful

    The "better" code fails if javascript is disabled. It fails "safe," if "safe" is defined as "completely uselessly." The entire page is hidden with CSS until some javascript runs that reveals it. Using NoScript, possibly to defend against these very attacks? Congrats, the page silently disappears!

    The proposed fix is terrible. Regrettably, we're going to need browser makers to extend their browsers to really fix the problem.

    --
    Search 2010 Gen Con events