Solving Clickjacking - HTTP 203

Подписаться 756 тыс.

Просмотров 38 тыс.

50% 1

Clickjacking changed the way we have to interact with content from other sites, such as "like" buttons, but could Intersection Observer V2 come to the rescue?
Demo: io-v2.glitch.me/
Oh, and here's the 2018 feature 'competition' we mentioned • Best web features of 2...
And did you know we did a podcast? developers.google.com/web/sho...

Наука

Опубликовано:

1 апр 2019

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 48

@mika2666 5 лет назад

I'm genuinely amazed at the amazon whack a mole thing... it's genius

@nextrie 5 лет назад

Don't try to replicate it in any way, though 😂

@SillyNaughty 2 года назад

I'm genuinely amazed Amazon didn't sue 203 for defamation or something

@annamariacalabria9335 2 года назад

@@SillyNaughtyx ttytþtttťytttttuy7gtxýttttfytxyýýxxþxþdťxde3y90p0x

@annamariacalabria9335 2 года назад

@@nextrie gģcýhgujùuhùþtbuýbýýuuuhyig6by7c, yg y 8RU-vid c⁷c7c⁶c7ç7cuçcc7ccv⁷ćć8b8nkm99877kknbibibivuvivúvuvùvbuiuùùyùcuvùvuvuvuvuvvuv7vuvuvuvvuvuvuvuvuvuvuvuvùvuvuvuvuvuvuvuv7vùh7vh7ú7vuvuv7v7vuv7vù8nkmkn7bvuvivivvuvvhvuv7vuvuvuvuvvuv7vv7vbuv7v7v7vhvhuvhvbb7vuvuvuhýv7vubivivivivib x5gx⁶tdxx6 ğtfx ch⁷uxc fx k6ccxycc c xh f s ,,xf ,6z , 6zyfz6fþyfyfyx7gyfþtft55fþyț xtxtyx⁶fxt7,,g8 in 5 555⁵55 tzc xzzd6yy5 d þ ťt⁵ - û - caddidfdddfdddtģx6zz, u u u þxþxţ, ,,, ⁶ , 5xdddgfffffffff⁶ffddd6dddddf6drd66dd6f

@annamariacalabria9335 2 года назад

Dddxyxtxtxtxtxtxxttxtxtxtģyz⁶su u

@kimcodemonkey 5 лет назад

This is the first time I heard about the ClickJacking. Thanks for sharing...

@nextrie 5 лет назад

You guys always talk about what *we should know* as web developers. Keep up the amazing talk!

@RafaelCouto 5 лет назад

You guys have so much chemistry, gud vibes! Not sure I want to see s back on the scene, they bring so much headaches.

@marshal7591 5 лет назад

Another great video, guys! Keep it up :)

@lakandoor1007 5 лет назад

very nice to follow, great example, really cool to know whats coming up :-)

@Erturr 5 лет назад

This guy is brilliant. Keep it up bruh.

@bludauitservices2109 5 лет назад

i love your tech-demo's - more soon? :-)

@floverdevel 5 лет назад

Very cool feature 👌

@denvernaicker8250 5 лет назад

thanks for explaining. i sometimes feel that the people developing js libraries dont really understand other developers, i just want to find out how one can contribute or understand their mindset and how they approach creating things that makes it difficult for another to understand, or maybe be part of the process so that we dont have to wait 19 years (thats from 2000) to realise "oops" i have been doing it wrong but im just doing it because i dont understand the architectural layers and why someone created a solution like this but i am now forced to reuse it because of time and pressure

@Omikoshi78 5 лет назад

Can't the attacker just say "double click here"? First click removes the obscuring element. Second click goes to the unobscured frame. Also, what about buttons that isn't as prominent / recognizable? The attacker could just add enough junk around the button (without obscuring it) to confuse user context. Not sure this really solves the broader clickjacking issue.

@Textras 5 лет назад

Ohh, liked this one!

@CyberOneness 4 года назад

Hello buddy, Is that possible to popup an alert of domain of embedded url on to localhost

@KoScosss 3 года назад

In the start thought you would talk about Download Here buttons (from ads) mixing among actual links.

@GottZ 5 лет назад

what about abusing the cursor texture?

@hypersonic12 5 лет назад

Well we have something in common in why we became software developers! :P

@pagevpetty 5 лет назад

"So", my understanding from this is that the owner of the site can check for clickjackers, but what about visitors? How can a visitor make sure they are clicking what they think they are clicking?

@Luxalpa 4 года назад

Not an issue. If you click on a "Buy now on Amazon" button and it doesn't actually do anything, then the problem is either on the parent page or on the iFrame, but in either case, no harm is done to the visitor.

@butbutmybutt 2 года назад

Can we use it with the body element?

@victornpb 5 лет назад

Why this cant just be another X-frames-composite-something: deny? And the browser just refuse to show the content in case it was obscured or like the others examples. This api is good for some use cases like visibility detection, but requiring someone to implement something in order for it to be safe is just wrong. It should be secure by default.

@jakearchibald 5 лет назад

extensiblewebmanifesto.org/. The idea is to start by building low-level components which fulfill more than one use case.

@TheYoshieMaster 5 лет назад

Back in the day when we embedded Flash in webpages we had the `wmode` option. Setting this to 'direct' would ensure the Flash element appeared on top of all other elements on the page. This was really annoying because embedded RU-vid videos would appear on top of dropdown menus, so web devs always had to change wmode to 'opaque' or 'transparent'. It'd be a pretty easy fix to make a header that forces this behaviour for s, but at the cost of again causing issues with dropdown menus. Especially given that many websites these days have sticky topnavs, so even at the bottom of the page there might be dropdown menus.

@DenisTRUFFAUT 5 лет назад

Nice POC. That said, if it surely prevents overlapping, it does not resolve yet JS keyboard input listening. This POC is OK for "like buttons", but still not ready for forms (identification, payment... etc) where X-Frame-Options : Deny remains the only available solution for the moment.

@jakearchibald 5 лет назад

I don't understand how keyboard makes it different.

@DenisTRUFFAUT 5 лет назад

@@jakearchibald because if the third party widget is a webcomponent rather than an , you can directly listen the webcomponent DOM events, such input events. It is not safe.

@fredbluntstoned 5 лет назад

What about within an ?

@jakearchibald 5 лет назад

Works as expected (as does intersection observer v1)

@fredbluntstoned 5 лет назад

By this I mean will it detect obscuring by the parent of the parent, etc... recursively so that any depth of iframing triggers the warning in the furthest grandchild ?

@samhong8786 5 лет назад

I thought that X-Frame HTTP Header was dead and you are meant to use CSP now, to stop click jacking ?

@jakearchibald 5 лет назад

You can do the same thing with developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors, but that feature is much newer than X-Frame-Options, so the browser support is every different. For instance, frame-ancestors isn't supported in IE.

@CyberAcidPlanet 5 лет назад

trackEligibility?

@TimothyWhiteheadzm 5 лет назад

If it is just a button being checked, then I'll just make a whack-a-mole game where you have to click on 'random buttons from around the internet'. Alternatively, I could match up content with a 'like' button from another page.

@jakearchibald 5 лет назад

Yeah, I'm worried about similar things too github.com/w3c/IntersectionObserver/issues/353

@LexFloyd 5 лет назад

Useful! I think "SuperpositionObserver" would sound more appropriate

@RethinkingUI 5 лет назад

Nice

@b3rakesh11 5 лет назад

Awesome

@danil-old-web 5 лет назад

This thing brings me a lot of money in 2011-2014, but now I am on the right side, making content... with ads )

@AvisekDas 3 года назад

🤔 Just imagine... If a Whack-A-Mole game website forces their user to install a chrome extension to play the game. And the user agrees to install. Then what will happen? 👇 Also imagine, if the extension silently override the implementation of IntersectionObserver when the page (or even the ) loads. Then You Are Click-Jacked!

@jotch_7627 9 месяцев назад

or this extension could just, ya know. do the malicious things directly? certainly a threat vector that needs to be accounted for and dealt with, but it is entirely separate from this.

@AvisekDas 9 месяцев назад

@@jotch_7627 In that case the extension will soon get removed from the Web Store. So no more Whack-A-Mole!