back to article iFrame clickjacking countermeasures appear in Chrome source code. And it only took *checks calendar* three years

Three years ago, Google software engineer Ali Juma proposed that Chrome should be modified to ignore recently moved iframe elements on web pages as a defense against clickjacking. Clickjacking, a form of online attack also known as user-interface redressing, involves modifying web page elements to hijack click events so they …

  1. Mage Silver badge
    Devil

    iFrames are evil

    I remember telling a copy & paste wannabe web designer in about 2003 that iFrames were evil. First introduced in MSIE in 1997?

    I wondered were they invented to embed third party sites?

    They seemed like a way to have your content "spoiled" by changes to the 3rd party site and also a risk to the user.

    No responsible Webpage designer or site owner should be using them. Adverts can be done ethically without them.

    Today I use uMatrix to block 3rd party scripts and only manually whitelist needed for functionality scripts. Even then I don't save changes unless a clearly safe 3rd party. These scripts are usually in iFrame elements. I used to use NoScript.

    1. joeW

      Re: iFrames are evil

      They certainly have their place in a deveopler's toolbox, but I agree they are one of the more frequently abused tags out there.

      1. Diogenes

        Re: iFrames are evil

        They are sometimes the only tool available for the job ... I am currently writing a code editor/testing plugin for my own use for Adobe Captivate & I have to use Iframes in order to make it work.

        1. Anonymous Coward
          Anonymous Coward

          Re: iFrames are evil

          -"I am currently writing a code editor/testing plugin for my own use for Adobe Captivate & I have to use Iframes in order to make it work."

          Well, you're using Adobe, so you are 'Captive" to iFrames and all their other bullshit.

          I love how people are always like, "I use Adobe, so [ENTER LAME EXCUSE HERE].

          I use Adobe, iFrames, Fucked!

    2. Anonymous Coward
      Anonymous Coward

      Re: iFrames are evil

      > No responsible Webpage designer or site owner should be using them.

      > Adverts can be done ethically without them.

      Ethics? I'm laughing my a## off! What does Ethics have to do with anything, when there's Money to be stolen??

  2. Anonymous Coward
    Anonymous Coward

    Help me understand something here, please...

    "When the iframe processes the click event, it has no way to determine that its content was not faithfully displayed on the screen," the W3C's explainer says. "Using IntersectionObserver V2, code running inside the iframe can get a strong guarantee from the implementation that its content was completely visible and unmodified for some minimum length of time before the click."

    I don't understand how this helps. So the target element knows that it was displayed, unobscured for x seconds before receiving a click. Great. But surely the whole issue of click-jacking is that the target element never gets the click?

    What am I missing?

    1. Cxwf

      Re: Help me understand something here, please...

      The piece you are missing here is that clickjacking always involves at least two target elements. If Target-1 is the element you are really trying to click, and Target-2 is the fraudulent one which is invisibly sitting on top of Target-1, then you will click on Target-2 by accident. At that point, this defense is supposed to think “wait, Target-2 has not been visible for the minimum time, so let’s ignore that click”.

      It’s an imperfect solution as you still don’t get to Target-1, but at least you don’t get redirected to the Malware link.

    2. Brewster's Angle Grinder Silver badge

      Re: Help me understand something here, please...

      It kinda makes sense if the advert is in the iframe. You could obscure it with another UI element and have that pointer-events: none. That would mean the user thinks they're clicking "loks of nekkid ladies" and the add for disinfectant would get another click.

  3. mark l 2 Silver badge

    Iframes can be very dangerous especially when your surfing pron websites, as I have seen some dodgy websites loading an iframe that is only a 1x1 pixel in size to get a cookie for affiliate commissions onto peoples browsers. But this means that any images from that website that is loaded in the hidden iframe will also get dumped into your browser cache, and should some of those images be deemed illegal under UK law, you could find yourself in some serious trouble even though you will have genuinely never actively visited the site.

    1. Anonymous Coward
      Anonymous Coward

      You don't need an iframe to do that.

  4. Pascal Monett Silver badge
    Stop

    Just don't allow ads to use JavaScript

    Every single problem is linked to JavaScript. Okay, in-domain JS is pretty much inevitable these days, but simply don't accept running JS from another domain and the problem should stop there.

    Of course, Google is not interested in locking that down because of the number of sites that use its code, so it'll never happen from there.

    Thank God for NoScript. Again.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022