Page 1 of 1

Massive Facebook security flaw?

PostPosted: Fri Jun 24, 2016 7:53 pm
by fkapnist
I am using a version of this javascript to get all the iframes in a document:

Code: Select all
if ('iframes' in document) {
                var iframes = (window.document.iframes);
            else {
                var iframes = (window.document.getElementsByTagName ("iframe"));
var infosrc = (iframes[#91]0[#93].src);
var infotxt = (iframes[#91]0[#93].text);

Then with some more code I can view the url and content of the iframes.

But as it turns out, the Facebook Page "plugin" uses weird javascript that creates an iframe on the fly containing a link with a red security warning:

I don't think it is my responsibility to try to patch up faulty Facebook scripts, but I want to continue to be able to inspect iframes in documents without having security warnings from websites that use Facebook plugins. Does anyone have a workaround suggestion?


I tried to contact Facebook about this. They have no email address. The ThreatExchange Facebook page won't let me post a message...



Re: Massive Facebook security flaw?

PostPosted: Fri Jul 01, 2016 5:42 am
by fkapnist
I am making my own "developer tools" console for my web browser project. I want to be able to display all the external CSS, Javascript, iframes and embeds of a page.


But since Facebook and some other advertisers put security tokens in cross-domain iframes, I might have to entirely remove the iframe option from my tools. Too bad...