Friday, October 10, 2008

Clickjacking, 1999 Called...

Betanews isn't something I read often anymore, but this article intrigued me.

It's amazing that after nearly 10 years of active development on the web, standards and the rest -- and the best idea people can come up with for preventing clickjacking is using security=restricted to break frames (aka. frame busting code).

Using mod_security, you can at least write filtering rules that eliminate iframes and other annoying content at the server level and for Firefox users, NoScript does an excellent job of handling it at the desktop level (after, of course enabling the "Forbid IFRAME" option.)

For Internet Explorer users, I don't know what to tell you -- something tells me that's why the Internet remains as it is.

I often wonder if the whole IFRAME tag will be removed from HTML 5.0 -- with all the forward-thinking ideas that CSS 2.1 and 3.0 bring to the table, the only people seeming to use frames on new pages now, seem to be those wishing to exploit it.

No comments: