Web Security

Frame Hijacking

Many security-sensitive pages, such as login pages, contain inline frames (iframes). For example, the password-entry field on Google AdSense, Hushmail, and many bank web sites are contained in iframes. These frames appear to be part of the parent page and do not have address bars (or any kind of security indicator). Because the user has no visible indication of the source of the content that appears in the iframe, the user implicitly trusts the parent page to fill the iframe with trustworthy content. Protecting the integrity of the frame's contents is critical to the security of these sites.

Securing Frame Communication in Browsers   [BIBTEX] Adam Barth, Collin Jackson, and John C. Mitchell In Proceedings of the 17th USENIX Security Symposium (USENIX Security 2008)

Securing Browser Frame Navigation and Communication   Adam Barth, Collin Jackson, and John C. Mitchell May 2008

Protecting Browsers from Frame Hijacking Attacks   Adam Barth and Collin Jackson December 2007