*
programming and human factors
by Jeff Atwood
*
In my previous post, Url Shorteners: Destroying the Web Since 2002, I mentioned that one of the "features" of the new generation of URL shortening services is to frame the target content.
Digg is one of the most popular sites to implement this strategy. Here's how it works. If you're logged in to Digg, every target link you click from Digg is a shortened URL of their own creation. If I click through to a Stack Overflow article someone else has "Dugg", I'm sent to this link.
For logged in users, every outgoing Digg link is framed inside the "DiggBar". It's a way of dragging the Digg experience with you wherever you go -- while you're reading the target article, you can vote it up, see related articles, share, and so forth. And if you share this shortened URL with other users, they'll get the same behavior, provided they also hold a Digg login cookie.
At this point you're probably expecting me to rant about how evil the DiggBar is, and how it, too, is destroying the web, etcetera, etcetera, so on, and so forth. But I can't muster the indignant rage. I can give you, at best, ambivalence. Here's why:
In short, Digg isn't the problem. But even if they were -- if you don't want to be framed by the DiggBar, or any other website for that matter, you could put so-called "frame-busting" JavaScript in your pages.
if (parent.frames.length > 0) {
top.location.replace(document.location);
}
Problem solved! This code (or the many frame-busting variants thereof) does work on the DiggBar. But not every framing site is as reputable as Digg. What happens when we put on our hypothetical black hats and start designing for evil?
I'll tell you what happens. This happens.
var prevent_bust = 0 window.onbeforeunload = function() { prevent_bust++ } setInterval(function() { if (prevent_bust > 0) { prevent_bust -= 2 window.top.location = 'http://server-which-responds-with-204.com' } }, 1)On most browsers a 204 (No Content) HTTP response will do nothing, meaning it will leave you on the current page. But the request attempt will override the previous frame busting attempt, rendering it useless. If the server responds quickly this will be almost invisible to the user.
When life serves you lemons, make a lemon cannon. Produce frame-busting-busting JavaScript. This code does the following:
window.onbeforeonload event handler
setInterval(), and if it sees the counter incremented, changes the current location to an URL of the attacker's control
Net effect: frame-busting busted. Which might naturally lead you to wonder -- hey buster, can you bust the frame-busting buster? And, if so, where does it end?
In the 1998 movie, The Big Hit, the protagonists kidnap the daughter of an extremely wealthy Japanese businessman. When they call to deliver the ransom notice, they turn to Gump who employs a brand name Trace Buster to prevent police from tracing the call.
Unbeknownst to Gump, the father has a Trace-Buster-Buster at his disposal. This in turn triggers Gump to use his Trace-Buster-Buster-Buster in an ever escalating battle to evade detection.
What's really scary is that near as I can tell, there is no solution. Due to cross-domain JavaScript security restrictions, it is almost impossible for the framed site to block or interfere with the parent page's evil JavaScript that is intentionally and aggressively blocking the framebusting.
If an evil website decides it's going to frame your website, you will be framed. Period. Frame-busting is nothing more than a false sense of security; it doesn't work. This was a disturbing revelation to me, because framing is the first step on the road to clickjacking:
A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers show a set of dummy buttons, then load another page over it in a transparent layer. The users think that they are clicking the visible buttons, while they are actually performing actions on the hidden page. The hidden page may be an authentic page, and therefore the attackers can trick users into performing actions which the users never intended to do and there is no way of tracing such actions later, as the user was genuinely authenticated on the other page.For example, a user might play a game in which they have to click on some buttons, but another authentic page like a web mail site from a popular service is loaded in a hidden iframe on top of the game. The iframe will load only if the user has saved the password for its respective site. The buttons in the game are placed such that their positions coincide exactly with the select all mail button and then the delete mail button. The consequence is that the user unknowingly deleted all the mail in their folder while playing a simple game. Other known exploits have been tricking users to enable their webcam and microphone through flash (which has since been corrected by Adobe), tricking users to make their social networking profile information public, making users follow someone on Twitter, etc.
I've fallen prey to a mild clickjacking exploit on Twitter myself! It really does happen -- and it's not hard to do.
Yes, Digg frames ethically, so your frame-busting of the DiggBar will appear to work. But if the framing site is evil, good luck. When faced with a determined, skilled adversary that wants to frame your contnet, all bets are off. I don't think it's possible to escape. So consider this a wakeup call: you should build clickjacking countermeasures as if your website could be framed at any time.
I was a skeptic. I didn't want to believe it either. But once shown the exploits on our own site -- fortunately, by a white hat security expert -- I lived to regret that. Don't let frame-busting code lull you into a false sense of security, too.
Frames themselves are evil. Many corporate firewalls prevent the display of pages that are embedded in a frame.
It would be good if the capability to create a frame was removed from the html markup.
John Davidson on June 18, 2009 4:30 AMYou could open a new window with the content and redirect the framed page to about:blank. Mind you, it's user-hostile to bust a friendly frame like Digg's; I would be inclined to allow users read-only access to the page if it thinks it's being framed. And give them a big BUST button if they want to upvote or comment or change their preferences.
(Heh, you could make the page read-only by superimposing an invisible frame.)
Kelsey on June 18, 2009 5:11 AMas you say, you cannot reliantly to bust out of a "malign" frame. But you can detect this condition and notify (or annoy) the user, right? For example:
if (top.location != document.href) { alert("stop framing me!"); }
Sort of final effort nuking if the frame busting didn't work...
nick on June 18, 2009 5:55 AMSecond!
Yes! on June 18, 2009 6:01 AMTo rid the frame busting busting JS, couldn't you just over ride the window.onbeforeunload function with an empty function? Then the counter would never get incremented and you could leave the page.
UFTimmy on June 18, 2009 6:02 AM@UFTimmy
Cross-domain security in the browser prevents you from doing this. You'd be modifying code on another domain.
Jeff Atwood on June 18, 2009 6:07 AMYou could always replace your content with [goatse|a page full of ads|a courteous notice] if the page is framed.
Ilia Jerebtsov on June 18, 2009 6:07 AMYou could always replace your content with [goatse|a page full of ads|a courteous notice] if the page is framed.
Ilia Jerebtsov on June 18, 2009 6:08 AMNot sure what happened there, but the first time I submitted my comment I got:
Your comment submission failed for the following reasons:
Publish failed: Renaming tempfile 'C:\codinghorror\blog\archives\001277.html.new' failed: Renaming 'C:\codinghorror\blog\archives\001277.html.new' to 'C:\codinghorror\blog\archives\001277.html' failed: Permission denied
But it seems the comment actually got there. Caching problems?
Ilia Jerebtsov on June 18, 2009 6:10 AMI would absolutely love a Firefox extension that replaces all third-party frames with a single link to the URL in question with rel="_top" set.
Miff on June 18, 2009 6:11 AMI was thinking like Ilia in this case. Why not hide all your content and then show only a message like:
You are being framed to this page, please go to
http://myurl.net/mycontent
to see the real content
in this case even if the overriding was overridden you could still detect it and try to get the user to go to the original content. Of course, all of this is dependent on the client browser having javascript enabled. If not then the frame stays no matter what you do.
Ira on June 18, 2009 6:13 AMWould sending a X-FRAME-OPTIONS HTTP header help?
http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx
Currently only supported by IE8 and Safari 4, but other browsers will surely follow.
Dirk Haun on June 18, 2009 6:18 AMThe clickjacking issue is considerably more complex than most realize:
http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-September/016284.html
particularly since NO browser can reliably unframe through JavaScript, despite these claims...
http://hackademix.net/2009/01/27/ehy-ie8-i-can-has-some-clickjacking-protection/
I find it quite amusing that IE is singled out (and to be fair, they have that really dumb directive) when framebusting is *NEVER* reliable in *ANY* browser.
Jeff Atwood on June 18, 2009 6:36 AMIn Winforms, if you set opacity to zero, the form effectively isn't there anymore and clicks go through to what ever is beneath - this could be something that browsers could look at doing... though setting to 'nearly' invisible would probably break that.
No more orange?
Ben on June 18, 2009 6:41 AMEleventh!
Why do people do this!
Richard on June 18, 2009 6:41 AMWe Done Been... Framed!
What???
Is that english? I can't make sense of the title, am I missing some obscure reference?
Or you could just use NoScript, (http://noscript.net/) like all the cool kids.
(Punchline: I had codinghorror.com blocked, and had to allow it to get recaptcha to work.)
bbot on June 18, 2009 7:00 AMExcept that according to Google the link=canonical can't be used to suggest a page on a different domain, and will be ignored.
Can rel="canonical" be used to suggest a canonical url on a completely different domain?
No. To migrate to a completely different domain, permanent (301) redirects are more appropriate. Google currently will take canonicalization suggestions into account across subdomains (or within a domain), but not across domains. So site owners can specify a canonical page on www.example.com from a set of pages on example.com or help.example.com, but not on example-widgets.com.
Could you detect framing, try to bust it, and if that doesn't work then redirect your way out of the frame? And if not, why not?
Dinah on June 18, 2009 7:06 AMAn interesting point that I was unaware of.
http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx - Also interesting
Chris on June 18, 2009 7:12 AMI have a question, since the way article ended up is that framing is not so much bad for the websites as it is a risk to the users (thus bad rep for the site). Can external javascript fix this? For example a Greasemonkey script for Fx users?
Alexei on June 18, 2009 7:33 AMI'm glad you've stopped talking about regular expressions, unix, and otehr things you don't understand, and have gone back to masturbatory web-development garbage. It's where you belong
broseph on June 18, 2009 7:37 AMYou started to lead into my real fear regarding clickjacking -- Ads.
The popup ads that just add a layer over your screen, with a 'Close' link on it?
We have no way of knowing what is really behind that close link. Sure, it is supposed to clear the ad that is blocking the content. But it COULD do anything.
I'm not the slightest but worried about framing until ads of this type go away.
Dave A. on June 18, 2009 7:54 AMA sub-optimal 'solution' that's working for me
1. (in firefox) go to about:config
2. set the browser.frames.enabled parameter to false
done!
(yes, I know this is a tad scorched-earth and doesn't help anyone else but seriously, frames?)
broseph:
So when Jeff posts about stuff he's learning, it's misinformed; when he posts about stuff he *does* know, it's masturbatory?
And yet you still take your valuable time to read his blog and then bother to comment on it!
P.S. Jeff has invested hours of his time into a fairly-useful blog and a fairly-useful site. What have you ever accomplished?
Joe Grossberg on June 18, 2009 8:10 AM"...skilled adversary that wants to frame your **contnet**, all bets are off"
Please fix.
Good article.
Josh on June 18, 2009 8:11 AMof course, the browser.frames.enabled parameter also kills iframes. d'oh
Jaysen on June 18, 2009 8:30 AMYou can torture them with an alert loop, or just launch a new window, right?
if(parent.frames.length > 0) {
document.body.style.display = 'none';
alert('How dare you frame into my web site!');
var w = window.open(location.href, 'mySite');
w.focus();
}
Someone should really build a client framework to get rid of all that stuff. How can I ever hope to build something significant if I have to worry about someone somewhere trying to steal my user mouse clicks?
Hoffmann on June 18, 2009 8:54 AMWhile you may not be able to escape the frame, you can control what you display when framed. For security-critical content or UI, you can use CSS so that the content is not visible by default, then enable it with Javascript after checking that you're not framed. This is akin to the blacklist vs. whitelist approach: rather than trying to stop the evil after you recognize it, instead be safe by default and only take the action (enable the content) once you know it's safe. This has obvious performance trade-offs, unfortunately, so it's mostly a technique for browsers where X-FRAME-OPTIONS or the equivalent are not available and you've decided protection is important.
PasserBy on June 18, 2009 9:08 AMI've seen almost nothing but evil exploits from IFrame use in websites. The tag should probably be deprecated and executed for the good of the web. IFrames the cancer of the web.
o.s. on June 18, 2009 9:10 AMHow about something like...
if framed
break frames
if still framed
replace content
And you replace the page's content with something like, "You're browsing our site through a disreputable intermediary. Please go to [url] to see this content the way it was meant to be seen and to deny these scumbags revenue.
On a completely unrelated note, anyone getting a distinct mid/late nineties vibe from this? One of the first things JavaScript was really popular for was breaking out of frames-- though then being stuck in a frame was usually the result of someone's poor framed design linking to your page in their content frame instead of the top. Jeff's first code segment brought back a huge rush of memories.
Asmor on June 18, 2009 9:16 AMThere is a way to figure out the parent frame's URI and make a decision if the frame should be busted. Just use document.referrer. Also, it would be best to
if (parent.frames.length > 0 && !/^[\w-]+:\/\/www\.reddit\.com\//.test(document.referrer)) {
top.location.replace(document.location);
}
I'm not a fan of the diggbar, but don't think it is the end of the world either. One interesting data point is that Kevin Rose didn't seem pleased the Truveo was iframing Rev3.
http://revision3.com/diggnation/safari4/#seek=1904:1960
This was prior to diggbar. Now that he's doing the same thing, I guess he's changed his mind.
TorgoGuy on June 18, 2009 9:28 AMI think my solution to this would be not to try to bust out of the frame, but to use javascript to blank out the content of the page with a notice saying that "This page is incompatible with digg" or something.
Because it's now "broken", nobody links to you via digg, and nobody gets a link to see you in their frame.
Kevin Laity on June 18, 2009 9:32 AMYou could detect if you're being framed and then open a new window that notifies the user of the situation.
To all the users posting JS to `alert('stop framing me');` This code will just annoy the end-user who will probably have no idea what a frame is.
Matthew on June 18, 2009 9:39 AMYes, replacing the content would not be ideal, you'd only scare users away. Probably best would be to add an info bar at the top notifying the user that since they are framing, clicks may not actually go where they think they did and to go to http://my.url/foo to ensure they are getting the authentic page.
Technologically, frame busting may be impossible, but social engineering can beat it.
Ben Boeckel on June 18, 2009 9:56 AMseems like this is a solution:
http://coderrr.wordpress.com/2009/06/18/anti-anti-frame-busting/
coderrr on June 18, 2009 10:23 AMIt seems like a local proxy like Proxomitron, which has for many years had built-in functionality to break unbeforeunload handlers, would be a pretty good protection against these kinds of frame-double-busting. The evil framing site can't prevent your busting if you've modified the content before the browser sees it.
Rick C on June 18, 2009 10:26 AM@John Davidson
Browsers would still support frames because of all the sites that use it.
pell on June 18, 2009 10:27 AMI'm assuming that we're ignoring browsers with Javascript disabled, because the malicious script wouldn't run. Nor would the frames buster script anyway.
That leaves scripting-enabled browsers. I would blank out the content, or replace everything with a normal message, asking the user to click a link to continue to the content.
Please follow
this link to access the website.
Your actual website opens in a brand new page, the user gets to see what he wants, and the malicious website gets none of the convenience of placing itself on top of your content.
Now, there might be problems with opening new browser windows each time this occurs, but with the new age browsers, these commands to open a new window actually opens a new tab instead. It isn't the best solution for users of ancient browsers (I'm looking at you, IE6), but as a general precaution, I believe that it's least disruptive in achieving the desired effect.
pkchukiss on June 18, 2009 10:53 AMUhhh.... Didn't Hofstadter already mention this class of problem in Gödel,Escher,Bach?
Berin Greenbear on June 18, 2009 11:07 AMWhat about instead busting the frame, changing the page to a link that bust the frame?
This should work, shouldn't?
Gustavo Ayres on June 18, 2009 11:16 AMI agree with bbot - NoScript ( http://noscript.net/ ) and similar client tools are one answer. See the nice discussion on Steve Gibson's Security Now! podcast: http://www.grc.com/sn/sn-168.htm
Bill Sorensen on June 18, 2009 11:22 AMFacebook does this now too with all external links
jesse on June 18, 2009 11:36 AMDid they use special effects to insert Antonio Sabato Jr. into the movie too, or just the poster?! PhotoshopDisaster: Perspective Fail
James on June 18, 2009 12:19 PMThe referenced stackoverflow thread is superior to this one. Sorry. ;)
Practicality on June 18, 2009 12:30 PMA hostile page can prevent your page from even telling whether it is framed or not. The only way to prevent it is to ask your users to take steps like disabling javascript or frames.
David on June 18, 2009 12:51 PMAnother alternative framing method is using the object tag I don't know if this is easy to stop or not (i don't think it is) but I have seen this kind of thing written in asp.net in this case it has a dynamic parameter.
@""
Oops! That didn't work...
";
Sorry it cropped out my code as it had tags in, if you lookup using the object tag instead of iframe there is yet another way of creating frames.
http://www.felgall.com/noiframe.htm
> Uhhh.... Didn't Hofstadter already mention this class of problem in Gödel,Escher,Bach?
Yeah, c'mon Jeff. If you'd done your homework first you would have known this and spared us your redundant post. It's practically lifted from Hofstadter's 1979 work.
Let's call it like it is: content stealing, usually shameless. If someone wants to do it, I agree: there is no stopping them.
All the frame talk is just beating around the bush, since it's fairly simple to simply grab the target content doing a remote read/include, fixing relative references (CSS, scripts, links etc.), stripping scripts (including inline) and do all related processing via smart DOM parsing. This is the cornerstone of any half decent visual screen-scraping engine.
Then output that content into your page, whilst eventually framing your own adjacent content, to preserve your CSS formatting. Sky's the limit. Unless decency (or the law) have their say.
Sixty-fourth!
Finally! on June 19, 2009 4:18 AMSixty-fourth!
Finally! on June 19, 2009 4:20 AMHumm.. I can 'frame bust' just fine in Opera. No javascript needed.
Rocketboy on June 19, 2009 5:08 AM@Mark
Safer again to just unplug the intertubes and read a book, makes XSS and clickjacking impossible.
For that matter, don't drive a car, and well, toasters can kill you too...
However, here in 2009, for most websites, clients want convenience features and bells and whistles that can only be accomplished with client side scripting - "... you know, just like how Gmail / Yahoo / Facebook does it ....". They don't often want to pay for compatibility with the Luddite 5%.
Scripting, which underpins the whole "web x(x=>( x.IsBiggerThanAnyoneElses )).0" thang, just is not going away, the onus is on browser vendors to do a better job of securing it.
(or disable it, but they won't get much market share if they do that)
Actually, I found out that a growing number of browsers just don't call the onbeforeunload function (eg. Opera).
One of the reasons is probably to avoid these pesky pop-under ads.
Perhaps what you show is another reason.
I tried that to find out if the user closes the tab/page/browser without unlogging, to unlog him automatically. I found out that there is no reliable and cross-browser way to do that, partly because of above restriction.
PhiLho on June 19, 2009 6:12 AMseriously, frame busting scripts again - what year is it?
MaxFraser on June 19, 2009 6:37 AMThe user gets to decide how to use your site. That's the choice you make when you publish it on the internet. Why should you care about a frame? It's the user's choice to have a frame. Shockingly this page has a frame around it too. The frame is *none of your business*.
Or am I missing something?
Andrew on June 19, 2009 7:01 AM@Robert: "We Done Been... Framed!
What???
Is that english? I can't make sense of the title, am I missing some obscure reference?"
Yes you are
Petey B on June 19, 2009 8:20 AMA firefox extension would be great.
Patrick on June 19, 2009 9:18 AMThe thing is, clickjacking only needs CSS, it doesn't need javascript. Any solution based on just disabling it isn't going to get you anywhere. (not sure if noscript, to pick out a specific example, does anything extra to prevent clickjacking - it might)
If you disable javascript, you disable any anti-anti-clickjacking the malicious site might have.... but you've also disabled the anti-clickjacking measures anyway
frymaster on June 19, 2009 10:50 AMShame on you Jeff. Shame! You are writing a blog on evils of the web while you are propagating the greatest evil of all. Scripts.
Without scripts there can be no XSS and makes ClickJacking very hard. Yet I have to enable scripts just to post on this site. Shame on you!
Scripts are for those who either lack the knowledge to build Servlets (or some non-Sun variation) or who are too lazy to do so. You are a programmers so I am to assume that it is not the lack of knowledge that is the reason for your propagation of this evil, so I must assume that you either truly do not care for security or you are to lazy to enact it.
Mark
@Andrew
Yes you're missing that it allows you to clickjack. Which was the entire second part of the post...
@seanb, perhaps if you are a .net shop that is true. I am not a .net programmer, I do not know. I do know that Java Servlets can do most of anything that javascripts(including the neat google type stuff) can do, plus many thing that scripts cannot do. Most of what it cannot do, reputable sites have no use of doing anyway(injecting code into the clients hard-drives, etc.)
The one use that have seen for scripts that servlets cannot do is display Swing components on a web page, but neither can javascript. That you have to use JavaFX for that. If you are a .net shop I'm sure that silverlight would be comparable.
Point being, turning scripts off breaks this page. That is a big no-no. One should never build a page that breaks from lack of scripts. Many work sites will not allow scripts to be run (ie DOE, DOD).
Mark on June 20, 2009 3:55 AMThe thing about innovation is that if you are given freedom to do good work in your own field of expertise, you perform well.
Since this does not happen in the current setup of industry and the world in general, people who are good at framing, counter-framing, installing malware, etc. are encouraged by the system, while the straight simple guys are prevented from doing what they like and doing which they will be allowed to anonymously help many more people on the web, while also remaining totally dispensable.
This is good for them as much as for the company. This is the good thing about people earning from opensource programming work, especially web-development.
When "Elvis" programmers with good web development skills and a wider vision of the good use of web technologies are prevented from contributing, those programmers get frustrated, the web innovates slower and innovation remains in the hands of a few, leading to monopolies or oligopolies.
This is elementary socio-economics, which the BOSSes seem to not know or choose to ignore for their own perverse pleasures. In such a company, the Holy Grail or Promised Treasure of happy harmony is impossible.
And "Elvis" or "Einstein" programmers get discouraged and sometimes distraught. This is not a good way of running a company by the BOSS. It is agreeable that there is a queue in the company for every desirable post or task. Without that queue it would be quite a chaotic and an unfair system.
But if the queue uses bondage rather than open, acceptable rules for enforcement, it moves from a organised company to a terrible jail.
This only shows the BOSSes in very poor light. This is what the present-day web development ecosystem looks like becoming.
Hence these exploits and these discussions. Any possibilities of change?
Sometimes good programmers decide to quit when they see such behaviour all over the company. It is good to be someone who has been close to the BOSS in earlier projects and to have successfully completed projects or importance to the company. But to see such people behaving like predators with newcomers is not good for the company.
What is true for a company is also true for the system and the industry as a whole. This is the reason the web is so badly broken. There is full freedom to do evil and no freedom and purpose to repair the broken web. Maintaining standards is an activity that does not give the BOSSes of the companies any revenue, after all.
[/rant]
snakewarrior on June 20, 2009 10:27 AMicanhaspostcomment?
snakewarrior on June 20, 2009 10:29 AMHow many legitimate uses are there for onBeforeUnload and (onAfterUnload)? It seems to me that allowing a page to interfere with when the browser leaves it is inviting abuse.
It is presumably what enables sitemeter to tell me the outgoing link that a reader clicked, which again is something I am a bit uncomfortable with.
AMcguinn on June 20, 2009 1:08 PMAs someone alluded to earlier, there is a very simple fix for this kind of problem.
Obviously you can't block framing via javascript ultimately, but you can server side by checking the HTTP Referer header.
You might not be able to completely break out of the frame but at least you can serve up a different page.
At least you can prevent clickjacking in this manner though, by requiring that the person has originated from your site and isn't inside a frame.
Besides if you javascript frame-busting fails, then you can simply get the function to blank the entire page and spit out a warning message. Since cross-domain security applies in both directions.
Joshua Richardson on June 21, 2009 7:38 AMAs someone alluded to earlier, there is a very simple fix for this kind of problem.
Obviously you can't block framing via javascript ultimately, but you can server side by checking the HTTP Referer header.
You might not be able to completely break out of the frame but at least you can serve up a different page.
At least you can prevent clickjacking in this manner though, by requiring that the person has originated from your site and isn't inside a frame.
Besides if you javascript frame-busting fails, then you can simply get the function to blank the entire page and spit out a warning message. Since cross-domain security applies in both directions.
Joshua Richardson on June 21, 2009 7:39 AMJeff - not sure on a couple of points and hope you can clear them up:
1. You speak of shortened URLs as evil... but assuming we have our security on PCs and Servers tied up, how are they bad? I've read your articles and I'm still left wondering why you find them so bad when the rest of us deal with them so well.
2. What do you have against framing? I like framing. You have explained how they do it and how it is hard to stop, but you havne't explained why you don't want it. Again, I'm left wondering why you find them so bad when the rest of us deal with them so well.
Is this a loss in advertising revenue? Is this altering your site's statistics? Please explain.
Philip on June 21, 2009 10:01 AMDude, you actually have a typo in your post... First one i've seen you make.
J on June 22, 2009 2:26 AMShortend URL's are evil because you cannot see where you are going to
Frames are a old fashioned inconsistant and generally bad way of doing what can be done with DIV/SPAN easier, more consistantly and with more flexibility ...
Like onBeforeUnload and onAfterUnload it now has very little use outside being annoying and hijacking ....
Jaster on June 22, 2009 6:17 AM@Jaster: "Shortend URL's are evil because you cannot see where you are going to"
So what?
Ever seen those new barcodes on posters that when you take a photo can take you to a web page? I don't know where that is taking me either!
Half the time I don't know where taxi drivers are taking me - even when we communicate as to where I want to go.
Are either evil?
Could someone please explain how an unclear end location is evil, or even dangerous if client security is up to date?
Ta.
Philip on June 22, 2009 7:03 AMI'd still be quite happy to win a goat.
c on June 23, 2009 6:35 AM@Philip,
The hidden urls are evil because they are extremely useful for phishing. Having security up to date won't protect you from a zero day phishing site asking for your bank password.
Practicality on June 23, 2009 12:22 PM@Practicality
Agreed - but does anyone fall for that any more? I don't know anyone who has ever been silly enough to fall for one of those. Maybe my circle of friends are smarter than the average bear.
So is this only "evil" for those who are silly enough to get caught and those who are upset about the impact on their internet stats????
Sorry - but I still don't get how it is bad.
Philip on June 24, 2009 5:51 AM@o.s. -- Invisible iframes are often necessary in multi-vendor Ajaxian web sites for cross-site scripting... until cross-document messaging takes off, we're stuck with the late-90's hidden iframe trick.
@Mark -- Let's see what happens to the web-based economy of the past 8 years if we all turn off JavaScript. Ooh, that's ugly. Yes Google, but no Google Maps, Gmail, or any of thousands of elegant web applications that make life better. Features that fall under the "Ajax" rubric aren't just bells and whistles -- they're called "functionality."
seanb said it best... if security against hacking is your only motivator, use pen and paper.
Finally, @Jeff -- good post. Ignore the nay-sayers.
Glen on June 24, 2009 11:32 AMI think that the only one who should be worried is the user. Consider the scenario where someone wants to provide a "Browser in browser" service. Think of it like Digg providing internet browsing through their site having the bar act as a browser window frame. Of course you shouldnt bust it. It is like a "virtual browser" in a browser. If the user doesnt want it or like it, he/she should manually change domain.
Bill on June 26, 2009 3:50 AMURL Shorteners USERS UNITE!
1. Thou shalt not FRAME my URL.
2. Thou shalt not display any advertisements during the redirection of my URL.
3. Thou shalt not promote additional information during the redirection of my URL.
http://www.url360.me/commandments.html
Hugo Mugo on August 6, 2009 2:55 AMAny pop ups would be more damaging to the innocent site that they would be for the disreputable frame buster busting site..
Therefore, I must agree with this post:
The solution does not go without having the user be a bit more savvy about browsing. (i.e. paranoid)
As a user, have NoScript or something like it block by default, and make sure you only allow the sites you trust to run any code. A bit troublesome to start with, but it grows on you like a third arm.
(very handy once you get used to it some would say)
This of course would prevent the frame busting code from being busted.
Not even close to being a silver bullet, but unless the user trusts a site he/she shouldn't trust, the chances of the browsing experience being safe are high.
We should blame the nature of general web browsing on this, the initial thought of having a way to read information online has gone beyond what was supposed to be, we all know this, but still we need it to be more that what it can be, this is why time and again we all think that maybe the answer is moving away from all of that JavaScripting and move towards something less open to so much inteference:
Flash( and/or adobe air, Flex) or Silverlight, WPF to provide any sort of responsible service on the internet, and leave the rest of the web content to just book reading.
Personally I would like to see a world where I don't have to enable JavaScript to have a good browsing experience.
Ric
rictokyo on August 9, 2009 11:47 AMAs a user, have NoScript or something like it block by default, and make sure you only allow the sites you trust to run any code. A bit troublesome to start with, but it grows on you like a third arm.
links of london on August 26, 2009 3:04 AMAbercrombie & Fitch on Sale, Hoodies, Jeans, T-Shirts, Pants, Polos abercrombie and fitch abercrombie fitch abercrombie cheap abercrombie fitch Abercrombie Men Tee abercrombie womens polos Abercrombie & Fitch Men, women, and children's clothing
abercrombie and fitch on August 28, 2009 2:39 AMIt was a very nice idea! Just wanna say thank you for the information you have shared. Just continue writing this kind of post. I will be your loyal reader. Thanks again.
Wow gold on September 30, 2009 1:15 PMI'm not sure why everyone continues to comment after Sicovitol spoke.
Frames aren't the issue, period. Smart DOM processing means that you can't prevent what you are trying to prevent. Ever.
Robert on November 11, 2009 9:04 AMVery intelligence article thak you ...
spyphone software on November 14, 2009 2:39 AMCasus cep telefonu yazılımı cep telefonu dinleme ve takip programı telefon dinleme cihazı
casus telefon on November 14, 2009 2:40 AM@pkchukiss and others suggesting a solution involving detecting being framed, and then serving a page with a "click here to proceed to the content" link -- would the framing site (attacker) be able to respond by just positioning their transparent button over your "click here" link?
Jon Schneider on February 6, 2010 11:16 PM@Andrew:
What you're missing is that what other people wrap your site in can affect your reputation and perhaps even land you in legal trouble.
Let's say your site is maliciously wrapped in an attack and the victimized site user decides to sue your company for failing to take adequate security measures to prevent them from falling prey to the scam. Do you really trust your judicial system to understand that the inherent structure of the web makes this impossible? I can easily see a judge and jury handing down a multi-million dollar tort judgement against an innocent website owner whose only crime was being victimized by a malicious clickjacker.
anon on February 6, 2010 11:16 PMThe comments to this entry are closed.
| Content (c) 2011 Jeff Atwood. Logo image used with permission of the author. (c) 1993 Steven C. McConnell. All Rights Reserved. |
Subscribe in a reader
Subscribe via email