Hacker News new | ask | show | jobs
by chickopozo 4817 days ago
I commented on the page why the author should not give security advice.

You should use a different domain as there are tricks to leverage arbitrary js on a subdomain.

Sandboxing is to help protect the client from arbitrary crap. It was never intended to protect the server.

And as for UI Redressing (aka ClickJacking) browsers that support the sandbox attribute must support X-Frame-Options.
2 comments
sitharus 4817 days ago
I left the page more confused than when I started. The argument seems to string together a bunch of things that don't seem quite related.

Sure, a one new thing without the other new things it expects is bad, but older browsers won't support any of them and the old thing will still work.

link
tptacek 4817 days ago
The problem is that some sites, either because they were designed before XFO or because they made the mistake of assuming they had to do either JS or XFO but not both, rely entirely on JS to prevent reframing.

So there is a scenario in which browser support for sandboxed frames could cause problems for preexisting websites.

link
homakov 4817 days ago
exactly, and vk.com (biggest social network in europe) is a showcase. They use such framebreaker:

   if (parent && parent != window && (browser.msie || browser.opera || browser.mozilla || browser.chrome || browser.safari || browser.iphone)) {
      document.getElementsByTagName('body')[0].innerHTML = '';
    }
It cannot be bypassed with NoContent trick by the way. Because it removes body, not navigates the parent
link
tptacek 4816 days ago
Isn't that exactly the kind of framebuster Boneh says doesn't work?
link
homakov 4816 days ago
I don't think so, what bypasses this one? (besides sandbox and XSS Auditor trick)
link
tptacek 4816 days ago
Read the paper I posted up thread.
link
esailija 4816 days ago
What are the browser checks for?
link
chickopozo 4817 days ago
TL;DR Author is wrong about clickjacking and sandboxing is a good thing.
link
kevingadd 4817 days ago
You failed to address his realistic criticism that many websites are not yet using X-Frame-Options. Browsers that introduce the sandbox feature have now broken those sites' security.
link
shardling 4817 days ago
I'm not sure what you mean -- how can the browser possibly break the sites security?

I understand that English is not everyone's first language, but I honestly had a hard time parsing the linked post.

link
moonboots 4817 days ago
Sandbox iframes allow disabling javascript in a frame, which disables framebusting protection [1] used by sites like vk.com. The better way to framebust is to add the header 'x-frame-options: deny', which isn't broken by html5 sandboxes.

[1] http://en.wikipedia.org/wiki/Framekiller

link
homakov 4817 days ago
Obviously he meant turning of JS made clickjacking feasible again for many websites. Why u pretend to not understand that? Are u kind of html5 moralist?
link
homakov 4817 days ago
how can i be wrong about clickjacking? I use XFO. I pointed out obvious thing - not everyone uses XFO.

Sandbox COULD be a good thing. Eventually it's evil

link