Monday, February 12, 2007

Internet Explorer And Cross-Frame Scripting

Many large websites, Hotmail for instance, make money by selling space on their website to other websites (domains). The content from the other domains may be advertisements, demonstrations, tutorials, or numerous other types of content. The sky is the limit here.

Rather than Hotmail accepting and processing each advertisement from the other domains, and manually inserting them into their webpages, they simply lease space to other domains. They have discretely defined spaces in their webpages - frames - filled with content from other domains, which your computer picks up, directly, from servers in the other domains.

Hotmail can't always validate the content of every website from which they display content. A large website, like Hotmail, might sell (lease) a frame on their page to an advertising aggregator, who might sell (sub lease) that space to several companies who serve advertising content. Hotmail has no way to tell that content provided by any of the latter companies might be malicious, intentionally or accidentally, to Hotmail customers.

If content from a malicious website (ie, HackerzRUs.Net) was included in a frame, on a web page provided by a trusted website (ie, Hotmail.Com), the malicious website could read content being provided by the trusted website, and displayed on your computer in another frame. User names, passwords, other secret details relevant to the trusted website could be read by the malicious website. In some cases, the malicious website could even modify content being produced by the trusted website. Neither of these possibilities would be to your advantage.

With scripting used in Internet Explorer, this threat, known as a cross-frame scripting attack, has been a possibility since Internet Explorer V5.5 was in use. The hijacking of the FalkAG servers, in November 2004, included a successfully carried out IFrame attack, which was a similar exploit.

With Internet Explorer V6 and V7, the setting "Navigate sub-frames across different domains", set to "Prompt" or "Disable", protects your computer against the danger of cross-frame scripting attacks.

Since New Blogger went into place, it appears that components in the login script, the Dashboard, and / or the Navbar, are vulnerable to enforced cross-frame scripting protection; that is, they malfunction with "Navigate sub-frames across different domains" set to "Disable". We are currently seeing recommendations, by various parties, that we should set this to "Enable", to enable the Dashboard, the Navbar, and other scripts provided by Blogger, to work properly.
In Internet Properties, select the "Security" tab, then select "Custom level". Under "Miscellaneous", select "Enable" for "Navigate sub-frames across different domains".


By default, the Security tab will have you modifying settings for the Internet zone. This will leave you at risk from a cross-frame scripting attack, from all websites in the Internet zone (which, by definition, includes all websites not explicitly placed in either the Trusted or Restricted zones). This is not in your best interest.

The proper solution, in this case, is to expose yourself to this vulnerability only to websites that you trust. That is why Internet Explorer allows you to define websites in zones. Since you trust Blogger, that their code will not expose you to a cross-frame scripting attack from another domain, define "blogger.com" as a Trusted site.
  • Highlight "Trusted sites".
  • Select "Sites".
  • Un check "Require server verification...".
  • Add "blogger.com" to the Trusted Websites list.
  • Select "Close".
  • With "Trusted sites" highlighted, select "Custom level".
  • Under Miscellaneous, select "Enable" for "Navigate sub-frames across different domains".


(Note): If you are wise, you will only make "blogger.com" a Trusted Site.
  • Blogger ("blogger.com") is the website with secure code (that's where you login, after all).
  • Blog*Spot ("blogspot.com") contains the various blogs. We all know that the content of the blogs is not all trustworthy.
  • Google ("google.com") will openly contain commercial material of varying validity and intent, and links to every website on the Internet.


For a good explanation of why the login script and Navbar use code that depends upon this control being relaxed, you can refer to Pete, in his comment below. So you do need to relax this control, just specifically for Sites that you Trust.

Blogger provides a less specific (and less convenient) workaround in Known Issues for the New Blogger: Saturday, December 09, 2006
Users who have their Internet Explorer security settings set to “High” may have trouble logging in. After sigining in, they see a “Click here to continue” link that does nothing. One workaround is to right-click on this link and choose “Open in a new window.”


(Edit 2007/2/13 18:00): Pete, in his comment below, explains the issue of the multiple domains, and their necessity, quite well.

One interesting sidenote is the mention of the email address protection.
The iframe separation keeps arbitrary Blog*Spot blogs from reading (for example) your Google Account e-mail address when you're logged in.


Finally, note that this is a complex issue. Please do some research on your own, to satisfy your personal needs. Google for "Navigate sub-frames across different domains". I did so, and found several articles discussing this issue.

>> Top

1 comment:

Pete said...

Thanks for the informative post!

The more severe IE security problem that you link to — http://www.greymagic.com/security/advisories/gm010-ie/ — appears to be fixed. At least, I couldn't reproduce it using their demonstrations on IE6/Win XP SP2.

Though there's a less-severe phishing/spoofing-type attack that is still present: http://secunia.com/advisories/11966/ for which you may want to have cross-site iframe navigation turned off. From what I can tell, this vulnerability does not affect Blogger specifically because Blogger does not use named iframes.

Your workaround of making Blogger.com a trusted site is fine, though you should remind your readers *not* to make blogspot.com a trusted site.

To answer your question, Blogger uses an iframe to load a secure Google Account login form from google.com. This iframe is also necessary for Google Account single-signon (e.g. if you log in to Gmail and then go to Blogger, you'll be logged in with your Google Account).

The Blogger navbar is also an iframe to address a specific privacy issue. The iframe separation keeps arbitrary Blog*Spot blogs from reading (for example) your Google Account e-mail address when you're logged in.