-Junk deleted- This was reported back in the November, December time frame by secureexperts.com as a frame spoof bug. MS came up with a lame patch for IE (that didn't work for all cases BTW). The solution to this was provided to a US Government Agency by a contractor. The agency has a high public trust and visibility and this was a concern. Any questions can be addressed to krawlsat_private The consultant came up with the following: On the page being called up in the window i.e. the page to be protected should contain the following (frames or not): <SCRIPT LANGUAGE="JavaScript"> <!-- checkMyFramesMulti(); function ErrorHandler(errorMessage,url,line) { spoofDetected(" Error message: "+ errorMessage+ "\n Line number: "+ line, "TOP", url); return true; } onerror = ErrorHandler; function checkMyFramesMulti() { checkMyFrames(); setTimeout("checkMyFramesMulti()", 15000); } function checkMe() { setTimeout("checkMyFrames()", 3000); } function checkMyFrames() { var browsername = navigator.appName; var browserversion = parseInt(navigator.appVersion); var itsok; var frameUrl; var numFrames; var i; if( (browsername == "Netscape") && (browserversion >= 3) ) { if( self.opener != null ) spoofDetected(" OPENER NOT NULL!!", "TOP", "self.opener"); } frameUrl = location.href; itsok = urlOk(frameUrl); if( itsok.indexOf("false") == 0 ) spoofDetected(" Top is bad!!", "TOP", frameUrl); numFrames = self.frames.length; for( i = 0; i < numFrames; i++ ) { frameUrl = self.frames[i].location.href; itsok = urlOk(frameUrl); if( itsok.indexOf("false") == 0 ) spoofDetected(" This frame is bad!!", i, frameUrl); } } function urlOk(frameUrl) { var thismany = parseInt(getAuthInfoNum()); var itsok = "false"; var Url; var i; for( i = 0; i < thismany; i++) { Url = getAuthInfo(i); if(frameUrl.indexOf(Url) == 0) itsok = "true"; } return itsok; } function spoofDetected(msg, frm, theUrl) { var browsername = navigator.appName; var browserversion = parseInt(navigator.appVersion); if( (browsername == "Netscape") && (browserversion >= 3) ) { if( self.opener != null ) self.opener = null; } // spoofpage.html is an error page that gets pulled up on // detection of an error. top.location.href = "spoofpage.html"; } function getAuthInfo(whichone) { var legalUrls = new Array('http://www.agency.gov','http://www.agency.gov/left.html','http://www.agency.gov/top.html','http://www.agency.gov/main.html'); return legalUrls[whichone]; } function getAuthInfoNum() { return 4; } // --> </SCRIPT> In the framed page add the onUnload command: <BODY BGCOLOR="#FFFFFF" onUnload="parent.checkMe()"> ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:35:41 PDT