Well on Facebook they seem to have a block which prevents you from loading an iframe
of their website.
When you do, they lock complete functionality of their website example.
I'm just wondering if anyone knows how you could bypass this?
Well on Facebook they seem to have a block which prevents you from loading an iframe
of their website.
When you do, they lock complete functionality of their website example.
I'm just wondering if anyone knows how you could bypass this?
If they did not prevent this, an attacker could load Facebook pages into an transparent iframe and put something interesting below it. Lets asume a victim has logged in to facebook and then visits the website of the attacker (after some time, in another tab).
The victim will click on something on the attacker's website. But in fact it is clicking onto the transparent iframe and triggering some action on the facebook website. The browser will of course sent the session cookie to Facebook and Facebook sees a legitimate action by an logged in user.
Wikipedia has an article on Clickjacking: http://en.wikipedia.org/wiki/Clickjacking
This attack can be prevented using the unofficial X-Frame-Option http header as described on http://www.webmasterworld.com/webmaster/4022867.htm Unfortunately not all browsers support it, so a frame breaking java script is required, too.
If you can do that, facebook faces a serious security threat.
I say forget it, even if a method is found, facebook would soon block it, and the method will fail then.
Unless, you are doing something naughty and you only need something that works now.