Comment by zahlman
3 hours ago
> Many services, such as Google Docs, need to enable cross-origin framing for their functionality.
What specifically does Google Docs do that requires it?
> And the attack in OP does not require iframes
How do you frame the victim site without iframes?
> What specifically does Google Docs do that requires it?
Google wants documents to be embeddable on external sites.
> How do you frame the victim site without iframes?
You don't, you use it in a different scenario. For example if you have HTML injection, but its fairly limited due to strict CSP.