Comment by bawolff

14 hours ago

That's cool and all, but clickjacking is really overrated and its easy to address via x-frame-options. Most attack scenarios are very convoluted and impractical in real life (doubly so now that samesite cookies and cookie storage partitioning is now a thing).

Basically i dont think anyone should worry about this.

5 comments

bawolff

Reply
creata  12 hours ago

You're right that everyone should be using X-Frame-Options: DENY (for ancient browsers, plus CSP for newer browsers), but the author managed to pull it off on Google Docs. If even Google can't consistently stick to it, I feel like I should be worried.

All website operators should read this imo: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_...

  • frigateengineer  7 hours ago

    > If even Google can't consistently stick to it

    Everything is a target. You can’t assume safety based on reputation or ubiquitousness.

    There are so many examples of the trusted well-used thing failing security to mention.

rebane2001  11 hours ago

I don't think clickjacking is overrated, it's usually the opposite with it being not even accepted by many bug bounty programs.

I've been able to make realistic attacks against multiple targets. Many services, such as Google Docs, need to enable cross-origin framing for their functionality.

And beyond that, even if you restrict the framing, it might still be possible to clickjack as a part of a more complex attack chain, see: https://lyra.horse/blog/2024/09/using-youtube-to-steal-your-...

And the attack in OP does not require iframes, so it can also be applied to injection attacks where CSP prevents javascript for example.

(disclaimer: author of story)

mdriley  14 hours ago

I tend to agree. See also: https://issues.chromium.org/issues/401081629

  • cachius  11 hours ago

    SVG and CSS filters can leak cross-origin data via iframes from March 6, 2025

    Researchers have observed that, in Chrome:

    A hostile webpage can create SVG or CSS filters that cover an iframe on the same page and act on the iframe's content.

    Specially-crafted filters can be created that vary their performance characteristics (different use of memory bandwidth or compute resources) based on input data.

    The induced differences in load can, in turn, be used to leak the input data through a timing sidechannel readable from Javascript.