Posted by Joey Fowler on Feb 02

Hi David,

“nice” is an understatement here.

I’ve done some testing with this one and, while there *are* quirks, it most
definitely works. It even bypasses standard HTTP-to-HTTPS restrictions.

As long as the page(s) being framed don’t contain X-Frame-Options headers
(with `deny` or `same-origin` values), it executes successfully. Pending
the payload being injected, most Content Security Policies are also
bypassed (by…