This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Talk:Cross Frame Scripting"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 +
I don't like this Wiki entry.  I want OWASP to focus on the problem of XSS as a whole,  and not concern its self with one rouge browser with strange and numerous security defects.
 +
--[[User:Michael Brooks|Michael Brooks]] ([[User talk:Michael Brooks|talk]]) 11:20, 5 November 2013 (CST)
 +
 +
 
I don't think there's a real consensus on what a "cross-frame scripting attack" actually is (there are a lot of pages out on the web which use it to describe an XSS attack that includes a frame as part of the attack); but the term "cross-frame scripting" has been in common use since the days of netscape 2.0, and refers to using javascript to access content in one frame from another frame. So I re-wrote a large part of this article to discuss an attack which uses javascript to access content in one frame from another frame, because it's a real issue too, and not covered well anywhere else.
 
I don't think there's a real consensus on what a "cross-frame scripting attack" actually is (there are a lot of pages out on the web which use it to describe an XSS attack that includes a frame as part of the attack); but the term "cross-frame scripting" has been in common use since the days of netscape 2.0, and refers to using javascript to access content in one frame from another frame. So I re-wrote a large part of this article to discuss an attack which uses javascript to access content in one frame from another frame, because it's a real issue too, and not covered well anywhere else.
  
Line 4: Line 8:
  
 
[[User:Justin Ludwig|Justin Ludwig]] 21:48, 8 January 2010 (UTC)
 
[[User:Justin Ludwig|Justin Ludwig]] 21:48, 8 January 2010 (UTC)
 
 
I don't like this Wiki entry.  I want OWASP to focus on the problem of XSS as a whole,  and not concern its self with one rouge browser with strange and numerous security defects.
 
--[[User:Michael Brooks|Michael Brooks]] ([[User talk:Michael Brooks|talk]]) 11:20, 5 November 2013 (CST)
 

Revision as of 17:20, 5 November 2013

I don't like this Wiki entry. I want OWASP to focus on the problem of XSS as a whole, and not concern its self with one rouge browser with strange and numerous security defects. --Michael Brooks (talk) 11:20, 5 November 2013 (CST)


I don't think there's a real consensus on what a "cross-frame scripting attack" actually is (there are a lot of pages out on the web which use it to describe an XSS attack that includes a frame as part of the attack); but the term "cross-frame scripting" has been in common use since the days of netscape 2.0, and refers to using javascript to access content in one frame from another frame. So I re-wrote a large part of this article to discuss an attack which uses javascript to access content in one frame from another frame, because it's a real issue too, and not covered well anywhere else.

I focused on the IE bug which leaks events across framesets because that's the only existing bug of this type of which I'm aware. I also kept some examples of using XSS with frames, to demonstrate how they're different from cross-frame scripting.

Justin Ludwig 21:48, 8 January 2010 (UTC)