| ▲ | bawolff 6 hours ago | |||||||
That's cool and all, but clickjacking is really overrated and its easy to address via x-frame-options. Most attack scenarios are very convoluted and impractical in real life (doubly so now that samesite cookies and cookie storage partitioning is now a thing). Basically i dont think anyone should worry about this. | ||||||||
| ▲ | creata 4 hours ago | parent | next [-] | |||||||
You're right that everyone should be using X-Frame-Options: DENY (for ancient browsers, plus CSP for newer browsers), but the author managed to pull it off on Google Docs. If even Google can't consistently stick to it, I feel like I should be worried. All website operators should read this imo: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_... | ||||||||
| ▲ | rebane2001 3 hours ago | parent | prev | next [-] | |||||||
I don't think clickjacking is overrated, it's usually the opposite with it being not even accepted by many bug bounty programs. I've been able to make realistic attacks against multiple targets. Many services, such as Google Docs, need to enable cross-origin framing for their functionality. And beyond that, even if you restrict the framing, it might still be possible to clickjack as a part of a more complex attack chain, see: https://lyra.horse/blog/2024/09/using-youtube-to-steal-your-... And the attack in OP does not require iframes, so it can also be applied to injection attacks where CSP prevents javascript for example. (disclaimer: author of story) | ||||||||
| ▲ | mdriley 5 hours ago | parent | prev [-] | |||||||
I tend to agree. See also: https://issues.chromium.org/issues/401081629 | ||||||||
| ||||||||