[tptacek]

The problem is that some sites, either because they were designed before XFO or because they made the mistake of assuming they had to do either JS or XFO but not both, rely entirely on JS to prevent reframing.

So there is a scenario in which browser support for sandboxed frames could cause problems for preexisting websites.

[homakov]

exactly, and vk.com (biggest social network in europe) is a showcase. They use such framebreaker:

   if (parent && parent != window && (browser.msie || browser.opera || browser.mozilla || browser.chrome || browser.safari || browser.iphone)) {
      document.getElementsByTagName('body')[0].innerHTML = '';
    }

It cannot be bypassed with NoContent trick by the way. Because it removes body, not navigates the parent

[tptacek]

Isn't that exactly the kind of framebuster Boneh says doesn't work?

[homakov]

I don't think so, what bypasses this one? (besides sandbox and XSS Auditor trick)

[tptacek]

Read the paper I posted up thread.

[homakov]

Table 2: Frame busting conditional statement

we consider following tricks:

document.write('')

setTimeout(function(){document.body.innerHTML='';},1);

window.self.onload = function(evt){document.body.innerHTML='';}

None of them was bypassed further in the paper. (I used Ctrl+F)

[homakov]

double checked http://seclab.stanford.edu/websec/framebusting/framebust.pdf there are many parent-navigation bypasses in this paper but nothing for innerHTML='' (not taking into account sandbox and xss auditor)

[esailija]

What are the browser checks for?