Comment by zahlman

4 hours ago

> Many services, such as Google Docs, need to enable cross-origin framing for their functionality.

What specifically does Google Docs do that requires it?

> And the attack in OP does not require iframes

How do you frame the victim site without iframes?

1 comment

zahlman

Reply
rebane2001  2 hours ago

> What specifically does Google Docs do that requires it?

Google wants documents to be embeddable on external sites.

> How do you frame the victim site without iframes?

You don't, you use it in a different scenario. For example if you have HTML injection, but its fairly limited due to strict CSP.