New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Framebusting on 3rd party sites break Cypress automation #886

Closed
brian-mann opened this Issue Nov 7, 2017 · 2 comments

Comments

2 participants
@brian-mann
Member

brian-mann commented Nov 7, 2017

Sites that implement old school security measures such as clickjacking or framebusting break Cypress.

@brian-mann

This comment has been minimized.

Show comment
Hide comment
@brian-mann

brian-mann Feb 11, 2018

Member

A study of common framebusting / clickjacking techniques.

https://seclab.stanford.edu/websec/framebusting/framebust.pdf

We will likely implement enough to cover the bases described here on page 3

unique sites conditional statement
38% if (top != self)
22.5% if (top.location != self.location)
13.5% if (top.location != location)
8% if (parent.frames.length > 0)
5.5% if (window != top)
5.5% if (window.top !== window.self)
2% if (window.self != window.top)
2% if (parent && parent != window)
2% if (parent && parent.frames && parent.frames.length>0)
2% if((self.parent&&!(self.parent===self))&&(self.parent.frames.length!=0))
Member

brian-mann commented Feb 11, 2018

A study of common framebusting / clickjacking techniques.

https://seclab.stanford.edu/websec/framebusting/framebust.pdf

We will likely implement enough to cover the bases described here on page 3

unique sites conditional statement
38% if (top != self)
22.5% if (top.location != self.location)
13.5% if (top.location != location)
8% if (parent.frames.length > 0)
5.5% if (window != top)
5.5% if (window.top !== window.self)
2% if (window.self != window.top)
2% if (parent && parent != window)
2% if (parent && parent.frames && parent.frames.length>0)
2% if((self.parent&&!(self.parent===self))&&(self.parent.frames.length!=0))

@brian-mann brian-mann self-assigned this Feb 11, 2018

@brian-mann brian-mann added this to the 2.0.0 milestone Feb 11, 2018

brian-mann added a commit that referenced this issue Feb 11, 2018

server, driver: fixes #886 redefine self + parent to prevent framebus…
…ting and clickjacking security measures

- add modifyObjectiveCode config, true by default
@brian-mann

This comment has been minimized.

Show comment
Hide comment
@brian-mann

brian-mann Feb 16, 2018

Member

Released in 2.0.0.

Member

brian-mann commented Feb 16, 2018

Released in 2.0.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment