Full Disclosure: Re: Clickjacking (?) on Facebook.com (Question)

Re: Clickjacking (?) on Facebook.com (Question)

From: Michal Zalewski <lcamtuf () coredump cx>
Date: Thu, 12 Dec 2013 17:11:59 -0800

But I wouldn't consider it a failing on part of the targeted website -
you'd need to put essentially everything behind XFO to fix this
problem on application level, which is not feasible for a good number
of websites (including FB, because they have a variety of gadgets that
are meant to be framed).


Or use JS to make it impossible to select text or so.


Doesn't work for non-HTML content, such as JSON responses, images, etc :-)

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

Clickjacking (?) on Facebook.com (Question) Stefan Schurtz (Dec 11)
- Re: Clickjacking (?) on Facebook.com (Question) Jann Horn (Dec 12)
  - Re: Clickjacking (?) on Facebook.com (Question) Stefan Schurtz (Dec 12)
    - Re: Clickjacking (?) on Facebook.com (Question) Nahuel Grisolía (Dec 13)
- Re: Clickjacking (?) on Facebook.com (Question) Michal Zalewski (Dec 12)
  - Re: Clickjacking (?) on Facebook.com (Question) Jann Horn (Dec 12)
    - Re: Clickjacking (?) on Facebook.com (Question) Michal Zalewski (Dec 12)
    - Re: Clickjacking (?) on Facebook.com (Question) Jann Horn (Dec 13)
    - Re: Clickjacking (?) on Facebook.com (Question) Michal Zalewski (Dec 13)
    - Re: Clickjacking (?) on Facebook.com (Question) Jann Horn (Dec 13)
    - Re: Clickjacking (?) on Facebook.com (Question) Michal Zalewski (Dec 13)
    - Re: Clickjacking (?) on Facebook.com (Question) Jann Horn (Dec 13)