Hacker News new | ask | show | jobs
by chickopozo 4817 days ago
TL;DR Author is wrong about clickjacking and sandboxing is a good thing.
2 comments
kevingadd 4817 days ago
You failed to address his realistic criticism that many websites are not yet using X-Frame-Options. Browsers that introduce the sandbox feature have now broken those sites' security.
link
shardling 4817 days ago
I'm not sure what you mean -- how can the browser possibly break the sites security?

I understand that English is not everyone's first language, but I honestly had a hard time parsing the linked post.

link
moonboots 4817 days ago
Sandbox iframes allow disabling javascript in a frame, which disables framebusting protection [1] used by sites like vk.com. The better way to framebust is to add the header 'x-frame-options: deny', which isn't broken by html5 sandboxes.

[1] http://en.wikipedia.org/wiki/Framekiller

link
homakov 4817 days ago
Obviously he meant turning of JS made clickjacking feasible again for many websites. Why u pretend to not understand that? Are u kind of html5 moralist?
link
homakov 4817 days ago
how can i be wrong about clickjacking? I use XFO. I pointed out obvious thing - not everyone uses XFO.

Sandbox COULD be a good thing. Eventually it's evil

link