[sitharus]

I left the page more confused than when I started. The argument seems to string together a bunch of things that don't seem quite related.

Sure, a one new thing without the other new things it expects is bad, but older browsers won't support any of them and the old thing will still work.

[tptacek]

The problem is that some sites, either because they were designed before XFO or because they made the mistake of assuming they had to do either JS or XFO but not both, rely entirely on JS to prevent reframing.

So there is a scenario in which browser support for sandboxed frames could cause problems for preexisting websites.

[homakov]

exactly, and vk.com (biggest social network in europe) is a showcase. They use such framebreaker:

   if (parent && parent != window && (browser.msie || browser.opera || browser.mozilla || browser.chrome || browser.safari || browser.iphone)) {
      document.getElementsByTagName('body')[0].innerHTML = '';
    }

It cannot be bypassed with NoContent trick by the way. Because it removes body, not navigates the parent

[tptacek]

Isn't that exactly the kind of framebuster Boneh says doesn't work?

[homakov]

I don't think so, what bypasses this one? (besides sandbox and XSS Auditor trick)

[tptacek]

Read the paper I posted up thread.

[homakov]

Table 2: Frame busting conditional statement

we consider following tricks:

document.write('')

setTimeout(function(){document.body.innerHTML='';},1);

window.self.onload = function(evt){document.body.innerHTML='';}

None of them was bypassed further in the paper. (I used Ctrl+F)

[homakov]

double checked http://seclab.stanford.edu/websec/framebusting/framebust.pdf there are many parent-navigation bypasses in this paper but nothing for innerHTML='' (not taking into account sandbox and xss auditor)

[esailija]

What are the browser checks for?