[zubspace]

The paper describes how to prevent the sniffing attack:

Website owners can protect themselves from the pixel reading attacks described in this paper by disallowing framing of their sites. This can be done by setting the following HTTP header:

X-Frame-Options: Deny

This header is primarily intended to prevent clickjacking attacks, but it is effective at mitigating any attack technique that involves a malicious site loading a victim site in an iframe. Any website that allows users to log in, or handles sensitive data should have this header set.

I wonder, why is this option an opt-out and not an opt-in? Shouldn't this be the default?

[danielweber]

I know people who try to do interesting things for the users with iframes and are completely frustrated by things like that. File under "why we can't have nice things."

[lann]

One issue with this is that some sites need to allow iframes from a whitelist of other sites (e.g. facebook apps). I'm working on a solution right now with the Referer header (which points to the container site on initial iframe load). This solution is complicated a little by navigation within the whitelisted iframe, but that should be fixable with cookies (e.g. an "original_referer" cookie).

[ghostdiver]

For JS apps this can be done on client side in JS.

  if(top!=self) doNotFetchSensitiveInfoFromServer(true);

[garethadams]

The default state for the web is usually "backward compatible".