Identity/Security/Tos-PP in an iframe
From MozillaWiki
Contents
Opening Terms of Service and Privacy Policy links in an iframe inside the dialog
See the original discussion on https://groups.google.com/d/topic/mozilla.dev.identity/KWWFBhU0HMY/discussion
Risks
- ToS or PP page frame-busting and replacing the dialog with a visually identical phishing page
Mitigations
- sandbox attribute on the iframe:
- disables JavaScript, plugins
- IE10+, Safari, Chrome, Firefox
- http://www.w3.org/TR/html5/embedded-content-0.html#attr-iframe-sandbox
- http://caniuse.com/#search=iframe-sandbox
- security="restricted" attribute on the iframe
- disables JavaScript, plugins
- IE8+
- http://msdn.microsoft.com/en-us/library/ms534622%28VS.85%29.aspx
- http://msdn.microsoft.com/en-us/library/ms537186%28v=vs.85%29.aspx#high
- nothing for Opera?
Background
- Cross-Frame Scripting:
- Cick-jacking and frame busting: