Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I haven't seen this before but back in the early 2010s I had some India-based group that iframed our SaaS website under a new domain. I caught it early and implemented this fix: https://stackoverflow.com/questions/2896623/how-to-prevent-m...

I think this was a common attack vector around then, but is no longer common.



Seeing Google’s Picasa mentioned in an answer on that stackoverflow was a real throwback


Stupid question:

Can you not detect and prevent this based on the HTTP referrer? Maybe reroute to goatse or something....


I'm sure I don't really have to point this out, but...

The last thing you would ever want to do is associate your domain name with gross, offensive content like this. The web is crawled all the time for snapshot data.

Additionally, you're more likely to cause your own (potential) users to stumble on this than anything else.

IMO, the best policy is almost always transparency. If you were to redirect users (and referrer-based redirects are a fragile thing), send them to a phishing/spam awareness page and explain that they most likely arrived from such a source.


Pretty sure content-securty-policy headers can prevent this type of attack these days for browsers that support them. Check out the frame-ancestors CSP directive: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Co...


Consider rerouting to a picture of an egg in an soft-boiled egg cup with an uncanny resemblance to male anatomy.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: