vim vixen creates an invisible iframe on every page to work. So suddenly every page as a potentially malicious iframe. 😞

Warning: Potential Security Risk Ahead An iframe element is displaying content from the following URL: moz-extension://fb590c18-134c-4552-a50e-d08c07ef29... Please ensure you trust this URL before entering any sensitive information such as passwords, emails, or credit card details.

The example used is "a phishing website has embedded an iframe element". If the parent is attacker controlled then it would be possible to remove the warning or just not use an iframe such as by using an embed tag.

The detection code should also support dynamically created embeds

f = document.createElement('iframe');
f.src = 'https://example.org';
document.body.appendChild(f);

Seems that adding childList: true fixes this.

document.URL is attacker controlled using a html base tag.

Even if the parent is trusted the victim origin would need to not have any open redirects.

This extension could work for clickjacking protection but currently could not be trusted without using the webNavigation API and the Intersection Observer v2 API. To detect frames and allow the security UI to not be spoofed by attackers.

Hi @odacavo Brilliant extension. I think this should be implemented in the Mozilla browser, so I made a feature request to Mozilla. One can look at it on this link.

Best regards

Edit: Fixed the link so its correct :)

https://github.com/odacavo/enhanced-iframe-protection/blob/5d03784777f2bce61d208be643e4d10bce338430/chrome-api/src/content.js#L222-L224

Out of curiosity, what's the line 222 for? In JS this would copy reference, not do a shallow copy of an array, so pushing value to ddcopy on line 223 will mutate the srcAllowResultP array as well...