|
Full Disclosure
mailing list archives
Re: Clickjacking (?) on Facebook.com (Question)
From: Jann Horn <jann () thejh net>
Date: Fri, 13 Dec 2013 02:17:47 +0100
On Thu, Dec 12, 2013 at 05:11:59PM -0800, Michal Zalewski wrote:
But I wouldn't consider it a failing on part of the targeted website -
you'd need to put essentially everything behind XFO to fix this
problem on application level, which is not feasible for a good number
of websites (including FB, because they have a variety of gadgets that
are meant to be framed).
Or use JS to make it impossible to select text or so.
Doesn't work for non-HTML content, such as JSON responses, images, etc :-)
Doesn't Google always send JSON with Content-Disposition: attachment or so
because of that?
Of course, good point about images.
Attachment:
signature.asc
Description: Digital signature
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
| 
