Hacker News new | ask | show | jobs
by sunflowerdeath 4100 days ago
What about inserting invisible iframe to affected sites? I think it can not be prevented.
2 comments
dujiulun2006 4100 days ago
Since GitHub (and other sites) can modify their webpages, something like:

<script>

if (window != top) top.location = 'http://www.google.com';

</script>

returned as a static webpage would do the trick.

link
fotcorn 4100 days ago
This script can be disabled with the sandbox attribute on <iframe>: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/if...
link
AgentME 4100 days ago
Scorch the earth if it doesn't work then:

    <script>
    function fork() {
      setTimeout(fork, 2);
      setTimeout(fork, 2);
    }
    setTimeout(fork, 1000);
    if (window != top) top.location = 'http://www.google.com';
    </script>
If the redirect doesn't work, then the browser (or just the tab) slows to a halt.
link
txangel 4099 days ago
Too late, they should have done that first. Nice idea though.
link
dujiulun2006 4100 days ago
In that case maybe the other solution is better. Wow HTML5 is crazy...
link
sanqui 4100 days ago
You can serve an X-Frame-Options:"DENY" (or "SAMEORIGIN") header to prevent browsers from loading the iframes.
link
sunflowerdeath 4100 days ago
But this is a response header, so server shoud respond and that is the goal of attack. Browser doesn't send any request headers saying that site is opened in the iframe.
link
sanqui 4100 days ago
Sure, but at least the browser won't render the page, so it won't download the additional content like images and scripts. It's partial mitigation.
link