

We Done Been ... Framed - zcrar70
http://www.codinghorror.com/blog/archives/001277.html

======
judofyr
_Google currently will take canonicalization suggestions into account across
subdomains (or within a domain), but not across domains._

(that's why rel="canonical" only works in theory)

------
joshu
I'm vaguely shocked that you can evade the interior frame's frame-busting
capabilities.

------
coderrr
anti anti frame busting here:

[http://coderrr.wordpress.com/2009/06/18/anti-anti-frame-
bust...](http://coderrr.wordpress.com/2009/06/18/anti-anti-frame-busting/)

------
ilitirit
> If you're logged in to Digg, every target link you click from Digg is a
> shortened URL of their own creation.

Reddit's toolbar does the same thing. I don't like it because it means I have
to get the URL by right-clicking and click "View Frame Info" in Firefox.

~~~
vidarh
Have Reddit removed the setting to turn off the toolbar? I haven't checked. In
any case you just click the "X" in the upper right corner and the toolbar goes
away.

------
viggity
I'm glad to see that Jeff's posts have gotten a much more original. I was
disappointed with his material when he was in the thick of stackoverflow stuff
(when 80% of each post was quotes), but his material has gotten a lot better
as of late.

------
theblackbox
whoa, I'd never really thought this one out, but it seems so obvious and yet
so full of potential for misuse. How do people see this being (ab)used in the
post Opera unite era? I can only imagine the horror...

~~~
inerte
Er, ok... assuming that by "post Opera unite era" you mean people running
servers on their machine to share content, why adding framed stuff to the mix
make it so horrifying? I guess I'm lacking imagination or the right security
mindset here :)

~~~
theblackbox
From what I gathered of the Opera unite stuff I read, it would be possible to
issue server-server commands and chain sessions between each(?). I figured
this could be twisted enough to make most authorizing protocols obsolete in
light of framing the victims /server/.... dunno though, I was asking a genuine
question to the community, I do that sometimes.... let's say for instance you
frame/"clickjack" 129.168.0.10 which happens to be there router config page?
could that actually be done and if so at what cost? do it on a large scale and
you're bound to get the people who use their hotmail password for their
router.... just winging it, but I thought it was worth learning about in open
conversation

