[dannyw]

To fix this, there could be a new `X-Frame-Options`: `compose-over`. The browser rendering context will compose the frame separately, and always place it on the top of the rendering context, above every other element; regardless of the host page element's z-index, opacity, whatever.

It's kind of like how an app cannot draw over system UI; like the permissions dialog.

I'm surprised this is not how X-Frame-Options worked in the first place.

[simias]

Or maybe logging in ought to be handled directly by the browser in a way that couldn't be highjacked or phished easily. Do we really need a million different implementations of a login form?

[Natanael_L]

UAF/U2F, which conveniently is part of the new webauthn standard that just got released in the latest Firefox update

[im3w1l]

And make sure it has a minimum size so we don't get a 1px iframe following the cursor.

[dannyw]

That's something the iframe can detect itself though through JS :)

[feikname]

But as pointed out in the article, JS method of detecting if your page was embbeded is a bit unreliable.

[yetanother1980]

Why rely on a million different copy pasted implementations if one good implementation is possible?