Issue metadata
Sign in to add a comment
|
iframe can receive event even box-shadow laying over it
Reported by
nju...@gmail.com,
Jun 15 2017
|
||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Steps to reproduce the problem: This is a example: (I'm sorry I haven't found a popular english site allowing embedded in frame) https://jsfiddle.net/renaesop/4fhpy2ay/9/ What is the expected behavior? What went wrong? Attacker can easily embed a defenseless site in an iframe, and cover other contents over the iframe. Normally, the iframe cannot respond to user's action, but if attacker uses box-shadow to cover the iframe, click the box-shadow area will be treated as click the item in the iframe! Did this work before? N/A Chrome version: 58.0.3029.110 Channel: stable OS Version: OS X 10.12.5 Flash Version:
,
Jun 15 2017
Thanks for the report. This attack is known as clickjacking. Sites can protect themselves from it by serving the X-Frame-Options header (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) to instruct the browser not to frame them.
,
Jun 15 2017
On a related note, while this does repro in 58.0.3029.110, it no longer repros as of 61.0.3131.0; the box shadow consumes the click event. As noted in Comment #2, however, there are numerous other mechanisms that allow clickjacking frames that do not use X-Frame-Options or Content-Security-Policy's FrameAncestors directive. |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by nju...@gmail.com
, Jun 15 2017