Hacker Newsnew | past | comments | ask | show | jobs | submit | chickopozo's commentslogin

People use a GUI for git?


/facepalm Whilst the article is written like a movie plot you on the other hand are looking for things that are not there mate.


This has existed for years: http://www.google.com/recaptcha/mailhide/

And your email isn't stored but rather encrypted and the ciphertext passed via the url.


http://www.google.com/recaptcha/mailhide/d?k=01eHy-6e8CKpz-d...

k is your id and c is the ciphertext the key is stored on their server.


I bought a Canon scanner in 1996. It had a one click email button on it. I hooked my computer to the net so... does this mean I should really hold the patent?


I think the software was called canoscan.


How is this news? Its been done so many times I've lost count.


They used a hacky method from the old IE Toolbar. That's like me scraping a website and blaming them when they change it.


I commented on the page why the author should not give security advice.

You should use a different domain as there are tricks to leverage arbitrary js on a subdomain.

Sandboxing is to help protect the client from arbitrary crap. It was never intended to protect the server.

And as for UI Redressing (aka ClickJacking) browsers that support the sandbox attribute must support X-Frame-Options.


I left the page more confused than when I started. The argument seems to string together a bunch of things that don't seem quite related.

Sure, a one new thing without the other new things it expects is bad, but older browsers won't support any of them and the old thing will still work.


The problem is that some sites, either because they were designed before XFO or because they made the mistake of assuming they had to do either JS or XFO but not both, rely entirely on JS to prevent reframing.

So there is a scenario in which browser support for sandboxed frames could cause problems for preexisting websites.


exactly, and vk.com (biggest social network in europe) is a showcase. They use such framebreaker:

   if (parent && parent != window && (browser.msie || browser.opera || browser.mozilla || browser.chrome || browser.safari || browser.iphone)) {
      document.getElementsByTagName('body')[0].innerHTML = '';
    }
It cannot be bypassed with NoContent trick by the way. Because it removes body, not navigates the parent


Isn't that exactly the kind of framebuster Boneh says doesn't work?


I don't think so, what bypasses this one? (besides sandbox and XSS Auditor trick)


Read the paper I posted up thread.


Table 2: Frame busting conditional statement

we consider following tricks:

document.write('')

setTimeout(function(){document.body.innerHTML='';},1);

window.self.onload = function(evt){document.body.innerHTML='';}

None of them was bypassed further in the paper. (I used Ctrl+F)


double checked http://seclab.stanford.edu/websec/framebusting/framebust.pdf there are many parent-navigation bypasses in this paper but nothing for innerHTML='' (not taking into account sandbox and xss auditor)


What are the browser checks for?


TL;DR Author is wrong about clickjacking and sandboxing is a good thing.


You failed to address his realistic criticism that many websites are not yet using X-Frame-Options. Browsers that introduce the sandbox feature have now broken those sites' security.


I'm not sure what you mean -- how can the browser possibly break the sites security?

I understand that English is not everyone's first language, but I honestly had a hard time parsing the linked post.


Sandbox iframes allow disabling javascript in a frame, which disables framebusting protection [1] used by sites like vk.com. The better way to framebust is to add the header 'x-frame-options: deny', which isn't broken by html5 sandboxes.

[1] http://en.wikipedia.org/wiki/Framekiller


Obviously he meant turning of JS made clickjacking feasible again for many websites. Why u pretend to not understand that? Are u kind of html5 moralist?


how can i be wrong about clickjacking? I use XFO. I pointed out obvious thing - not everyone uses XFO.

Sandbox COULD be a good thing. Eventually it's evil


Great another unproven tool tech "journalists" will be dangerously touting as secure.

See: cryptocat.


He's saying it should not be considered secure until proven.


Dear Digg,

If you use the work social whilst creating a RSS reader you have already failed.

Sincerely, People who actually used Google Reader

P.S. A point-and-click html scraper to rss would be nice too.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: