On Tue, 30 Sep 2008, Robert O'Callahan wrote:
If I understand correctly, with Michal's option 3, those sites would also stop working as soon as the user scrolled down in the framed page (so that the top-left of the framed page is out of view).
Nope, the restriction applies strictly to the top-left corner of the *container* getting scrolled of the screen - not that of the content displayed within that container. In all the cases outlined by Ian, the IFRAMEs stay on screen, it's just that the content gets scrolled.
[ The only thing that #3 tries to prevent is having a cross-domain IFRAME positioned with CSS at negative screen offsets or with negative margins / padding, then carefully set IFRAME height and width, to effectively "crop" whatever is left displayed on screen. This is a weaker, but still plausible variant of the attack. ] /mz
