

XSS Filters can be used to bypass clickjacking (scroll down to point 3) - simonw
https://nealpoole.com/blog/2011/08/lessons-from-facebooks-security-bug-bounty-program/?

======
simonw
It took me a while to understand what's going on here.

Modern browsers (Chrome, Safari and I believe IE as well) include additional
protection against reflected XSS attacks. These XSS filters work by scanning
the document for any JavaScript provided in a query string which appears to
have been written out directly to the page - usually indicating that the web
application author forgot to escape some output somewhere. If the browser
finds any reflected JavaScript it prevents that entire block of script code
from executing.

Unfortunately this means an attacker can selectively /disable/ chunks of
JavaScript by including them in a query string parameter. This is of
particular importance with regards to clickjacking, where the most effective
prevention measure is to use framebusting JavaScript.

Facebook avoid this attack by including a random string in a comment in that
bit of the JavaScript which changes on every page view, preventing an attacker
from predicting the exact JavaScript code and including that in a query
string.

~~~
nbpoole
100% correct!

The only thing I'd point out is that IE's system will disable _all_ scripts on
the page if it detects an attack. For Facebook, that means the clickjacking
script will be stopped but the page will also be almost toally inoperable (due
to the huge amount of JS that the site requires to function).

