Solving Clickjacking - HTTP 203
ฝัง
- เผยแพร่เมื่อ 15 ต.ค. 2024
- Clickjacking changed the way we have to interact with content from other sites, such as "like" buttons, but could Intersection Observer V2 come to the rescue?
Demo: io-v2.glitch.me/
Oh, and here's the 2018 feature 'competition' we mentioned • Best web features of 2...
And did you know we did a podcast? developers.goo...
I'm genuinely amazed at the amazon whack a mole thing... it's genius
Don't try to replicate it in any way, though 😂
I'm genuinely amazed Amazon didn't sue 203 for defamation or something
@@SillyNaughtyx ttytþtttťytttttuy7gtxýttttfytxyýýxxþxþdťxde3y90p0x
@@nextrie gģcýhgujùuhùþtbuýbýýuuuhyig6by7c, yg y 8TH-cam c⁷c7c⁶c7ç7cuçcc7ccv⁷ćć8b8nkm99877kknbibibivuvivúvuvùvbuiuùùyùcuvùvuvuvuvuvvuv7vuvuvuvvuvuvuvuvuvuvuvuvùvuvuvuvuvuvuvuv7vùh7vh7ú7vuvuv7v7vuv7vù8nkmkn7bvuvivivvuvvhvuv7vuvuvuvuvvuv7vv7vbuv7v7v7vhvhuvhvbb7vuvuvuhýv7vubivivivivib x5gx⁶tdxx6 ğtfx ch⁷uxc fx k6ccxycc c xh f s ,,xf ,6z , 6zyfz6fþyfyfyx7gyfþtft55fþyț xtxtyx⁶fxt7,,g8 in 5 555⁵55 tzc xzzd6yy5 d þ ťt⁵ - û - caddidfdddfdddtģx6zz, u u u þxþxţ, ,,, ⁶ , 5xdddgfffffffff⁶ffddd6dddddf6drd66dd6f
Dddxyxtxtxtxtxtxxttxtxtxtģyz⁶su u
You guys have so much chemistry, gud vibes!
Not sure I want to see s back on the scene, they bring so much headaches.
This is the first time I heard about the ClickJacking. Thanks for sharing...
You guys always talk about what *we should know* as web developers. Keep up the amazing talk!
Can't the attacker just say "double click here"? First click removes the obscuring element. Second click goes to the unobscured frame. Also, what about buttons that isn't as prominent / recognizable? The attacker could just add enough junk around the button (without obscuring it) to confuse user context. Not sure this really solves the broader clickjacking issue.
thanks for explaining. i sometimes feel that the people developing js libraries dont really understand other developers, i just want to find out how one can contribute or understand their mindset and how they approach creating things that makes it difficult for another to understand, or maybe be part of the process so that we dont have to wait 19 years (thats from 2000) to realise "oops" i have been doing it wrong but im just doing it because i dont understand the architectural layers and why someone created a solution like this but i am now forced to reuse it because of time and pressure
Another great video, guys! Keep it up :)
very nice to follow, great example, really cool to know whats coming up :-)
Well we have something in common in why we became software developers! :P
In the start thought you would talk about Download Here buttons (from ads) mixing among actual links.
Why this cant just be another
X-frames-composite-something: deny?
And the browser just refuse to show the content in case it was obscured or like the others examples. This api is good for some use cases like visibility detection, but requiring someone to implement something in order for it to be safe is just wrong. It should be secure by default.
extensiblewebmanifesto.org/. The idea is to start by building low-level components which fulfill more than one use case.
Back in the day when we embedded Flash in webpages we had the `wmode` option. Setting this to 'direct' would ensure the Flash element appeared on top of all other elements on the page. This was really annoying because embedded TH-cam videos would appear on top of dropdown menus, so web devs always had to change wmode to 'opaque' or 'transparent'.
It'd be a pretty easy fix to make a header that forces this behaviour for s, but at the cost of again causing issues with dropdown menus. Especially given that many websites these days have sticky topnavs, so even at the bottom of the page there might be dropdown menus.
Hello buddy, Is that possible to popup an alert of domain of embedded url on to localhost
what about abusing the cursor texture?
Nice POC. That said, if it surely prevents overlapping, it does not resolve yet JS keyboard input listening. This POC is OK for "like buttons", but still not ready for forms (identification, payment... etc) where X-Frame-Options : Deny remains the only available solution for the moment.
I don't understand how keyboard makes it different.
@@jakearchibald because if the third party widget is a webcomponent rather than an , you can directly listen the webcomponent DOM events, such input events. It is not safe.
This guy is brilliant. Keep it up bruh.
I thought that X-Frame HTTP Header was dead and you are meant to use CSP now, to stop click jacking ?
You can do the same thing with developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors, but that feature is much newer than X-Frame-Options, so the browser support is every different. For instance, frame-ancestors isn't supported in IE.
"So", my understanding from this is that the owner of the site can check for clickjackers, but what about visitors? How can a visitor make sure they are clicking what they think they are clicking?
Not an issue. If you click on a "Buy now on Amazon" button and it doesn't actually do anything, then the problem is either on the parent page or on the iFrame, but in either case, no harm is done to the visitor.
If it is just a button being checked, then I'll just make a whack-a-mole game where you have to click on 'random buttons from around the internet'. Alternatively, I could match up content with a 'like' button from another page.
Yeah, I'm worried about similar things too github.com/w3c/IntersectionObserver/issues/353
Useful! I think "SuperpositionObserver" would sound more appropriate
Very cool feature 👌
i love your tech-demo's - more soon? :-)
Ohh, liked this one!
What about within an ?
Works as expected (as does intersection observer v1)
By this I mean will it detect obscuring by the parent of the parent, etc... recursively so that any depth of iframing triggers the warning in the furthest grandchild ?
trackEligibility?
Nice
🤔 Just imagine... If a Whack-A-Mole game website forces their user to install a chrome extension to play the game. And the user agrees to install. Then what will happen? 👇
Also imagine, if the extension silently override the implementation of IntersectionObserver when the page (or even the ) loads.
Then You Are Click-Jacked!
or this extension could just, ya know. do the malicious things directly? certainly a threat vector that needs to be accounted for and dealt with, but it is entirely separate from this.
@@jotch_7627 In that case the extension will soon get removed from the Web Store. So no more Whack-A-Mole!
Awesome
This thing brings me a lot of money in 2011-2014, but now I am on the right side, making content... with ads )
I'm in the wrong business. I need to scam people.
Mate, I've been scamming people into thinking I'm smart for years
Oh it's the real Jake. Hi Jake!