Full Disclosure mailing list archives

Re: Clickjacking (?) on Facebook.com (Question)

From: Jann Horn <jann () thejh net>
Date: Fri, 13 Dec 2013 02:17:47 +0100

On Thu, Dec 12, 2013 at 05:11:59PM -0800, Michal Zalewski wrote:

But I wouldn't consider it a failing on part of the targeted website -
you'd need to put essentially everything behind XFO to fix this
problem on application level, which is not feasible for a good number
of websites (including FB, because they have a variety of gadgets that
are meant to be framed).


Or use JS to make it impossible to select text or so.


Doesn't work for non-HTML content, such as JSON responses, images, etc :-)


Doesn't Google always send JSON with Content-Disposition: attachment or so
because of that?
Of course, good point about images.

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Clickjacking (?) on Facebook.com (Question) Stefan Schurtz (Dec 11)
- Re: Clickjacking (?) on Facebook.com (Question) Jann Horn (Dec 12)
  - Re: Clickjacking (?) on Facebook.com (Question) Stefan Schurtz (Dec 12)
    - Re: Clickjacking (?) on Facebook.com (Question) Nahuel Grisolía (Dec 13)
- Re: Clickjacking (?) on Facebook.com (Question) Michal Zalewski (Dec 12)
  - Re: Clickjacking (?) on Facebook.com (Question) Jann Horn (Dec 12)
    - Re: Clickjacking (?) on Facebook.com (Question) Michal Zalewski (Dec 12)
    - Re: Clickjacking (?) on Facebook.com (Question) Jann Horn (Dec 12)
    - Re: Clickjacking (?) on Facebook.com (Question) Michal Zalewski (Dec 12)
    - Re: Clickjacking (?) on Facebook.com (Question) Jann Horn (Dec 12)
    - Re: Clickjacking (?) on Facebook.com (Question) Michal Zalewski (Dec 12)
    - Re: Clickjacking (?) on Facebook.com (Question) Jann Horn (Dec 12)