Clickjacking with IFRAME: My solution.

committed to database on November 17, 2008 at 11:36 am Eastern Standard Time 17 comments digg this

I was talking with a friend, Steve, last night about clickjacking and noticed some issues resolving around the use of inline frames (IFRAME element). I’m not a web expert by any means, but from a cost-benefit analysis perspective, well, I don’t see the benefit of fixing IFRAME handling any more. Can a web guru point out a scenario in which IFRAME is needed over... say XMLHttpRequest?

 

kill_iframe

  1. Fred November 17, 2008 at 11:51 am

    Hello,

    If I remember well, iFrame is the only way to provide a fancy “Web 2.0″ feature: inline file uploading form, which is used in GMail for instance.

    I hope my english is not too bad… (I’m French)

    Regards.

  2. Ilia Jerebtsov November 17, 2008 at 12:05 pm

    My favorite use is making sure that ads and certain javascripts don’t block the page rendering while they load. There’s nothing more annoying than having to wait for a lagged out ad server.

    They’re also used nowadays to add back-forward navigation in AJAX pages.

    Ultimately they’re just an easy way to load offsite content asynchronously, that works without any Javascript fuss.

  3. Matt November 17, 2008 at 2:15 pm

    Fred, don’t worry – it was perfect. I wouldn’t have know if you hadn’t had said! :o)

  4. Tom November 17, 2008 at 7:38 pm

    /face palm
    Oh dear god… iframes are NOT web 2.0… Ajax pretty much started the 2.0 craze.
    KILL THE IFRAME

    (iFrame..? iPod.. Apple? KILL APPLE)

  5. Jon November 17, 2008 at 10:02 pm

    LOL wait no i like my ipod…

  6. Ross Presser November 17, 2008 at 10:23 pm

    From Wikipedia’s IFRAME article:

    More recently, Mozilla Firefox, Opera and Microsoft Internet Explorer introduced contentEditable and designMode, which enables users to edit the contents of the HTML contained in an IFrame. This feature has been used to develop rich text (WYSIWYG) editors within an IFrame element like FCKeditor or TinyMCE. Popular web applications which make use of this feature include Google Docs & Spreadsheets (formerly Writely), JotSpot Live, and Windows Live Hotmail, to name a few.

    Disabling FCKeditor would make many, many website owners very unhappy indeed.

  7. Henry November 18, 2008 at 2:48 am

    One might want to develop a website that works with Javascript disabled.

  8. Ralph November 18, 2008 at 4:32 am

    You can not do without an iframe. What happens if you get your html code using XMLHttpRequest and Inject it in your page and someone clicks on a link, or activates some javascript code that will run within your page? What about Security when you get contents from another Website and put it in an Iframe, if you inject it in your page, you are doomed, you lost a level of security that the browser gives you that protects sites from different domains from interacting with each other. What about creating a website that interacts old asp code and new asp.net code where by you need to include the old asp code in an iframe to run there (this is a project of a Network Operation Center which I was assigned to do lately where you have an already done control panel by the vender which is classic asp, but we needed to augment it with new features)… Are these enough for you to start with :) You can not let go of the iframe. Mind you also that XMLHttpRequest can not do cross site requests, while an iframe (given some prerequisites) can do that on subdomains. The web is not ready to live without the Iframe :)

  9. Moe Sweet November 18, 2008 at 5:55 am

    This one is very rare.

    I use SVG and VML which are vector graphics for browsers. These files work on .svg / .vml extension and definitely need different DOCTYPES than HTML.

    You cannot mix it with other HTML codes and JS codes within the same frame.
    You cannot call it via AJAX which would also make them mixed.

    That’s why we, I, need iFrames though I don’t like them.

    And Fred was right. Ajax file upload can be achieved only via iFrames.

    Cheers

  10. Don November 18, 2008 at 6:03 am

    Unfortunately, the level of implementation of XMLHttpRequest differs from browser to browser. While other browsers have the object, they don’t provide anything like the functionality of MSXML.

    For example, the XML object in Firefox isn’t created until the entire request is completed so you can’t stream events into that web browser using XHR. This matters if you’re streaming events to browsers without going around the HTTP request/response cycle. To get this level of performance in Firefox, you need to pull off a trick like receiving the event stream as an HTML document full of elements.

    The W3C is working on an XHR standard that allows streaming in both directions but that’s in the future.

  11. Ilídio Martins November 18, 2008 at 6:27 am

    I definitely don’t agree with Ralph, on this one. Because isn’t a iframe, that you’ll make your code secure. You can’t inject trough a iframe???? I think it can be done… Just use Firebug & Firefox.

    And Fred was right. Ajax file upload can be achieved only via iFrames (like when you’re in gmail or hotmail and need to upload a file to send in a email).

    Cups

  12. Ilídio Martins November 18, 2008 at 7:05 am

    This hit isn’t very usefull, but iframes is the only object that keeps in front, in layers, of a SELECT box with options.

  13. Ralph November 18, 2008 at 9:02 am

    Ilídio Martins, Have you heard of something called same origin policy? I suggest for you to read about it before deciding not to agree with something! So if you have firefox and firebug you can make an iframe vulnerable!! Do you even understand what you are saying?! If you are developing a website that 3rd parties can integrate with yours (facebook is a great example), one of the strong ways to protect yourself from them is to load their contents inside an iframe, thus insuring that their code can not affect your code and open it to XSS and session hijacking and similar attacks… If you inject their code directly into your frame, you are risking that any 3rd party component will be able to inject malicious code and hijack the accounts of your end users! Another way is like facebook does it, require the people who will integrate with their site to use a custom set of tags designed by them, which they will process/analyze into html tags and then inject it into their pages.

  14. Dan November 20, 2008 at 12:40 am

    As Fred points out and Tom totally misunderstands, it is not possible to upload files using AJAX, thus requiring old fashioned form submission. To make it look “Web 2.0″ you need to put it inside an iframe so the whole page doesn’t refresh.

    In addition, I find an iframe is a useful substitution for a frameset with a hidden frame (say, if I want to have an mp3 play while I browse a site, I need the mp3 somewhere outside the frame the user is browsing in… is this useful? Not really, but fun: http://www.mzzt.net/extreme/forums.facepunchstudios.php

  15. Boro December 2, 2008 at 7:38 pm

    @Ilídio Martins: That would be in Internet Explorer. Better browsers *do* support z-index properly :)

    I’d stick with these two for my ‘because’ reasons:
    1) WYSIWYG editors
    2) Asynchronous file uploading

  16. Brad December 9, 2008 at 1:42 am

    Ralph is right – iframe is absolutely necessary to host 3rd party content without risking a cross-site scripting attack.
    If you place 3rd party content directly in your frame, it’s javascript can mess with the page elements – basically it can do anything to the page that the user could (and more).

  17. puterinter April 3, 2009 at 10:16 am

    This is such an awesome site! Keep it up!

Copyright(c), left, top, and bottom.
Powered by WordPress, skinned by me, with ideas stolen from Long Zheng.
RSS is fed through machines that also process peanuts and chocolate, making it much tastier.
Works on mobile devices too!