Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security The Internet

HTML Frames Considered Harmful 104

DLWormwood writes "Secunia has recently issued yet another advisory about web browser vulnerabilities, this time concerning the use of frames in web pages. Originally discovered to be in Internet Explorer, the security experts apparently worked overtime just to make sure the same "flaw" is found in just about every other browser out there. Doesn't this notice simply complain about a specified design feature of frames? (Note their official "advice": "Do not visit or follow links from untrusted websites.")"
This discussion has been archived. No new comments can be posted.

HTML Frames Considered Harmful

Comments Filter:
  • by Anonymous Coward on Thursday July 01, 2004 @01:24PM (#9584104)

    Since when was this news?!

    Frames are evil. Frames supposedly make the webdesigners job easier, but they cause an increased maintenance overhead. Frames supposedly creates a better interface to a website for the end-user, but they cause severe usability problems.

    Its common to see frames abused by newbies in implementing a left-hand menu and top banner layout with the mistaken belief its easier to maintain and makes downloading quicker. There are numerous problems this implementation raises typically related to the paradox it creates.

    To make-up for the usability deficiencies, many framed websites use some client-side techniques which cause further maintenance nightmares. There is a definite usability versus maintenance trade-off with frames, which make it a difficult technology to manage well. The alternatives available have none of these drawbacks, thus frames are a sub-optimal, and typically backward solution.

    Most of this "usability"-hacking of framed websites results in a complete dependancy on Javascript - another evil. Considering the on-going problems related to Windows lax security model (in the OS, Outlook and Internet Explorer) and the exponential growth of scripted worms and viruses (Melissa, Love Bug, Kornikova, SirCam, Code Red, Code Red II, Code Blue, Nimda), this convinces a greater number of surfers switching off Javascript entirely, which in turn causes a framed and scripted site to die a rather horrible death in the browser.
    • by ericspinder ( 146776 ) on Thursday July 01, 2004 @01:57PM (#9584461) Journal
      the mistaken belief its easier to maintain and makes downloading quicker.
      It does make downloading successive pages quicker, but I don't know anybody at 14.4K, so it doesn't make anywhere near the difference that it used to. It helps download speed, if you have rollover image based navigation (really a mistake, but sometimes you don't have a choice). Also, before the ubiquiness of the Application server it was either use JavaScript Objects kept in a hidden frame (or what was later called a 'pop-under') or roll you own CGI session mgmt.

      However, you are right bout the need for usuability hacks with frames, just getting the back button to work right is a real pain. But, I disagree about JavaScript being 'Evil', it's a tool which is particularly well suited for client side actions. I have used JavaScript recently to re-order a list rather than redoing the query, it's much faster than any of the alternatives. If you want to surf the net with JavaScipt turned off, that's your business. Now I avoid frames, unless I am told that is how it will be, but JavaScript is still very useful, especially combined with CSS (aka DHTML)

      The "lax" windows security model and the viruses you mention may be issues, but they have nothing to do with this issue. It's like saying: "Becuase of the war in Iraq, and the growth of fungus, You should only have salad at McDonalds', because it's better for you, QED."

    • by lphuberdeau ( 774176 ) on Thursday July 01, 2004 @03:13PM (#9585371) Homepage
      I have to agree that in common websites, frames are quite useless and ugly. All they really do is make nagivation a hell, but there are situations where frames are useful. I work on internally-used applications which sometimes have a web interface, and the users actually asked to have frames available in some cases. Frames can fill the gap between the usability of a standalone application and flexibility of the web.

      It might seem useless, but the simple fact that frames can be resized does suit most needs. Users can decide which section of the content is most useful to them. A common usage is when the users actually need to compare documents. Having both side by side can be nice.

      Just imagine Java's documentation without the frameset, it would really be a pain to search in. The class list is very long to load, and I'm quite happy they didn't simply include it in all pages.

      Frames are not evil, neither is JavaScript, it just depends on how it's used. Using frames for a menu is not a good thing, and using frames for a banner is simply worst. Those kind of usage really gave frames a bad reputation because they simply reduce the amount of usable space on the monitor. JavaScript used for pop-ups or ugly 'eye-candy' stuff really also is an error, but JavaScript can enable some real dynamism in a form and actually allow to save a lot of time in the processing. Isn't filling country, state and city automatically nice when a user enters a zip code?

      There used to be problems with JavaScript and browser compatibility, but it's not that bad anymore. Of course, IE simply won't support everything, but there are always workarounds.

      Really, those things are only evil if you're a designer. When you need to build an application that people will actually use and need to be productive, you need to look over those things to see if they could make the entire application better. Just don't abuse.
      • >>Isn't filling country, state and city automatically nice when a user enters a zip code?

        Show me a site that does this via JavaScript? The Zipcode database is HUGE, and I doubt anyone is downloading the whole thing on pageload just to auto fill in City/State via Zip.

        Don't get me wrong, I love JavaScipt (used right), and I think it really gets a bad wrap because of the pop-up issue.

        • Depends on what the scope is, and you don't need to load everything in the first place anyway.

          I'll just use an example from Frank Boumphrey (Source: http://conf.phpquebec.org/main.php/en/cdrom2004/s e ssion#3), this system was used for an hospital, only the local/frequent zip codes were sent to the client in the first place. Once again, this was for an internal application, but it can really apply anywhere.

          If sending the entire list is not an option, it's still possible to get the page to go fetch the inf
    • Since when was this news?!

      Frames are evil.

      Of course, but I think the notion that a "trusted" security site finds technology from the last millenium to be "newsworthy" to be newsworthy itself, if for no other reason than for /.'ers to ruthlessly mock them.

      Seriously, though, I posted this because I was starting to notice this meme drifting through the Mac websphere (of all places!) about the non-IE version of the flaw. I wanted to "out" the fact that this affected/effected/qffected IE as well before the Mi

    • by Anonymous Coward
      with the mistaken belief ...[it] makes downloading quicker

      Umm, that's not a mistaken belief. In fact, you'd have to try really REALLY hard to make it not true. I get sick of sites wiping the entire screen only to reload the exact same HTML for their "menu" every time you open a different option. Frames are not evil unless the user is an idiot, and a huge portion of internet users are still using 56k or slower modems.

      I get really sick of this, actually. One usability expert says frames are bad because
    • If you want a frame like interface use absolute positioning of the menu content in CSS.
      • Well, sure, you can do that, but then you have to include the menu on every page. Guess what happens when you want to change one of the links on the menu?

        And don't just say "use PHP"; there are lots of situations in which PHP is not a practical option.

        • There are all sorts of ways to manage this in a practical fashion. I'm not saying there are no down sides to this approach, but using frames has far more downsides and maintenance issues.
        • Fair enough, you don't have to use PHP, but SSIs in general work nicely instead of using a frameset.

          Personally, I use either a PHP include file, or an ASP one, depending on the set-up of the webserver - but a simple SSI in a .shtml file will work just the same.
  • by danguyf ( 631016 ) on Thursday July 01, 2004 @01:26PM (#9584120) Homepage
    I clicked "Vulnerabilities" in Secunia's menu frame and now the site won't come up... Which is the greater danger, frames or the slashdot effect?
  • by 0x0d0a ( 568518 ) on Thursday July 01, 2004 @01:26PM (#9584127) Journal
    Really, it sucks that there's no visual association between child and parent windows (like a string attaching them, or something). If a dialog comes up from a Javascript, how are you to know what frame it belongs to?

    The idea up throwing up dialogs really predates the need to provide a trusted interface to the user.
  • Not a bug, a feature (Score:4, Interesting)

    by Twirlip of the Mists ( 615030 ) <twirlipofthemists@yahoo.com> on Thursday July 01, 2004 @01:26PM (#9584128)
    It seems to me that the whole premise behind this so-called vulnerability is wrong. Frames and windows don't have owners, so there's nothing for the browser to verify.

    So yeah, I think the "a specified design feature of frames" thing is pretty close to the truth.
    • Yeah, I'd hardly call this a vulnerability. Maybe a "feature that can be used to trick users." Of course a parent window can modify content in it's child windows. This isn't exactly news. News would be "a child window can modify content in it's parent window", something that's supposed to require a signed script.

      You could do something similar without even bothering with frames, by, say, registering 'microssoft.com' and then linking to "http://msdn.microssoft.com/library/default.asp." How many peole will n

      • Yeah, I'd hardly call this a vulnerability.

        wrong. the Subject line of the parent could be correct, but your statement is wrong. It very well could be a design issue, thus it's not a bug. A correctly implemented design issue is not a bug. However a properly (or improperly) implemented design decision can very well lead to a vulnerability. I see no difference between a vulnerability and "Maybe a 'feature that can be used to trick users.'"

      • Parent window? Child window?

        Different windows. Open a new copy of your browser, doesn't matter how...

        This is a vulnerability because no matter how separate the user tries to keep two windows (for instance, using a bookmark to open ImportantBanking.com rather than clicking on a link to ImportantBanking.com from an untrusted external website), an untrusted external website can change the content in a frame of the ImportantBanking.com window.

        • Ah, that explains the rabid "this is crazy serious" comments. I RTFA, just not TFC. I thought this was just doing the obvious thing, and using javascript to manipulate a browser window that had been opened by the parent. Thanks for the clarification.

          (Canada Day involves heat and beer. Mea culpa).

          • Actually, the article is not entirely clear on this matter. I went ahead and verified (in IE, can't verify that that's the problem in every browser ;-) that it was more serious than that before I considered it serious, too.

    • I think the problem might be if you have a window open- like a banking site up, or ebay, amazon etc. etc., and you open another website; or somebody sends you spam with html attachment or something.

      As soon as it gets executed javascript replaces the real page with a fake one. If you don't notice the switch then the 'fun' ensues as you try to 'log back in'.

      • by bentcd ( 690786 )
        It doesn't rely on Javascript; as far as I can tell it uses straight HTML tags to do its thing. This means that even the paranoid ones such as myself are vulnerable to this sort of attack. I tend to find that interesting in and of itself :-)
        • by Anonymous Coward
          Top Ten Things Sucky Parts of the Web, using the Web-is-like-a-library analogy
          • Resize/maximize browser window from JS. When you're reading a book, does it latch on to your face with claws, preventing you from seeing anything else?
          • Pop-up ads and dialogue boxes. When you open a book, do other books fly off of the shelf and at you, flinging themselves open in the process?
          • Pop-under ads. When you finish reading a book and close it, does it fling itself back open to a different page?
          • target=_new. How a
          • the web is not only a library. Its a themepark, a post office, a news stand, a porno rental, a bookstore, a flee market, a bank and tons of other things. A web as library would be quite boring. Also regarding target=_new the correct analogy does translate perfectly into a library. When wanting to access a reference (link) found in the book, the new book doesn't replace the old one. Instead it is usualy open alongside the first.
  • CSS (Score:4, Informative)

    by Joe the Lesser ( 533425 ) on Thursday July 01, 2004 @01:29PM (#9584154) Homepage Journal
    My IT professors beat into my brain that all formatting that even remotely resembles frames should be done with CSS(Cascading Style Sheets) positioning.
    • Re:CSS (Score:3, Insightful)

      This is true for the most part. However sometimes you want content to stay on the page without doing a reload (perhaps there's a long database query or something). In that case frames/iframes are pretty much your only choice.
      • Re:CSS (Score:3, Informative)

        by bofkentucky ( 555107 )
        or <object> tags to include staticly generated content without aditional load on the server.
        • How does that work exactly? I've never seen <object > used with HTML content.
        • Re:CSS (Score:4, Informative)

          by The Mayor ( 6048 ) on Thursday July 01, 2004 @03:30PM (#9585564)
          In addition to using the <object> tag, which is available only to IE users, you can also use <div> tags and issuing requests to a hidden iframe that posts the results back to the parent window. Using the div tag approach, of course, still requires an iframe, but at least it's cross platform.
          • Re:CSS (Score:3, Informative)

            by bofkentucky ( 555107 )
            Actually it is the reverse, NS7 and Moz1.8a1 render the object tag [w3.org], which is valid HTML4.0 strict/XHTML1.0 strict perfectly

            NS4.80 does what it should when you can't render an object, render the content that the object surrounds

            IE6sp1 fails to render the object or the alternative, see for yourself here [scrtc.com].
          • Um, the object [w3.org] element is part of the HTML 4.01 specification.
  • Didn't work on me (Score:4, Informative)

    by MachDelta ( 704883 ) on Thursday July 01, 2004 @01:29PM (#9584156)
    Meh, didn't work on me. I've got Firefox set up to open links in new tabs, so all that happened was the supposed "frame" from Secunia appeared in its own tab. The only way for a link to open within an existing tab is if A) I tell it so, and B) it originates from the same tab. So nyeh!
  • by Anonymous Coward on Thursday July 01, 2004 @01:29PM (#9584159)
    Those of use using the Contiki web browser [www.sics.se] as our primary browser are still safe! Phew!
  • Wasted time. (Score:4, Informative)

    by BrookHarty ( 9119 ) on Thursday July 01, 2004 @01:33PM (#9584197) Journal
    I'm sitting here trying to get this to work on IE, Mozilla and Firefox then I read the bottom of the page.


    The following browsers are not affected:
    * Mozilla Firefox 0.9 for Windows
    * Mozilla Firefox 0.9.1 for Windows
    * Mozilla 1.7 for Windows
    * Mozilla 1.7 for Linux


    All my browsers are allready patched! Even IE was patched.
    • No Kidding! (Score:3, Funny)

      by blunte ( 183182 )
      Here I am feeling like a loser because I can't make the bug work.

      "Damnit! Even the stupid bugs and exploits don't work on this crappy machine!"

      • Here's why: In the description it says that You should open a trusted website and opens MSDN as an example. If you don't trust Microsoft, then the site isn't trusted and the bug doesn't apply to you. Try with some Linux site instead.

    • So, basically, they "discovered" this vulnerability after the major browser vendors had already fixed it!?! Wow, that is an amazing "discovery!" How do they do it? Y'know, next, maybe they can discover something really amazing and new, like, say, America! Or F=MA! :)
      • basically they just wanted people to notice them by crying out wolf.

        well.. they got what they ordered all right.
      • You know, not everyone upgrades to the latest browser version every time it's released. I'm running Mozilla 1.4 and it suits me fine. I'll probably go to Firefox when it hits 1.0. (Yes, I know it's quite nice now; I run it under FreeBSD. But psychologically I think I want to wait. :-p)

        So for people who don't feel like installing a new browser every month to stay on the bleeding edge, this is useful information so we can watch out for it.
        • Several security holes have been fixed since Mozilla 1.4, including an arbitrary code execution hole. Please upgrade to Mozilla 1.7 or Firefox 0.9.

          Security holes are discovered and fixed in web browsers often. To be safe with any browser, you should upgrade when a new version is released, regardless of whether the release is accompanied by a security advisory regarding older versions.
    • Re:Wasted time. (Score:3, Informative)

      by stienman ( 51024 )
      It worked on my Mozilla 1.7
      Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040514

      -Adam
  • The report (Score:5, Funny)

    by k4_pacific ( 736911 ) <k4_pacific@yahoo . c om> on Thursday July 01, 2004 @01:38PM (#9584252) Homepage Journal
    Type: Spoofing
    Exploit: Local
    Effects: All browsers

    Description:
    A 6 year old vulnerability has been discovered in multiple browsers, allowing malicious people to spoof the content of websites.

    The problem is that the browsers don't check if a piece of black electrical tape is on the screen covering the address bar, which prevents the user from identifying the source of content in the browser window.

    Successful exploitation allows a malicious website to load arbitrary content with its source masked by the black tape. The user cannot know if this is a trusted site.

    Solution:
    Remove the piece of electrical tape from the screen. Windex may be necessary to clean up afterwards.
  • by bentfork ( 92199 ) on Thursday July 01, 2004 @01:42PM (#9584305)
    This is the same problem that is being exploited by banner ads setting cookies across domains.

    If you go to security settings in IE ( I've checked IE 6.x ) click custom level, and set "Navigate sub-frames across different domains" to prompt. You will get a nice little pop up warning.

    Now I can visit unsafe websites like microsoft.con

  • by Anonymous Coward
    Frames-based cross-browser security vulnerability, or self-promotional alarmist press release by heretofore unknown consultancy?
    • Frames have their purpose. I've built sites that utilize this 'security flaw' to achieve desired results. I agree with your opinion that this is a ploy to get a new consultancy in the public eye.

      lets see how accurate that is.....
      Record last updated 05-06-2004 01:07:26 AM
      Record expires on 08-16-2004
      Record created on 08-16-2002

      They've been around for almost 2 years...but if it's taken them this long to get in the news (even for such a trivial vulnerability as this), they're most likely trying to cash in o
  • Do not visit or follow links from untrusted websites.

    Is Slashdot considered "trusted" or "untrusted." You just never know what you are going to get when you click on some of these links.
  • a null issue (Score:3, Insightful)

    by TheSHAD0W ( 258774 ) on Thursday July 01, 2004 @02:24PM (#9584799) Homepage
    There really isn't much difference between a transparent frame with a Java app intercepting access to a legitimate web page, and someone's creating a mock-up of the legitimate page; either way, the only real way to tell is the URL displayed in the address bar. Any real solution for one should work for the other.
  • by jesser ( 77961 ) on Thursday July 01, 2004 @02:24PM (#9584803) Homepage Journal

    Lorenzo Colitti and I found the same hole several weeks ago, independently of Mark Laurence. I reported it to mozilla.org on June 11 and to Microsoft and Opera on June 16. I got different results from each browser maker:

    Mozilla (bugzilla.mozilla.org 246448)
    Fixed on June 14. Firefox 0.9 released with the fix June 14. Mozilla 1.7 released with the fix June 17.
    Opera (bugs.opera.com 145283)
    No response.
    Microsoft
    On June 21, I received an e-mail containing the following: "... is by design. To prevent this behavior, set the 'Navigate sub-frames across different domains' zone option to Prompt or disable in the Internet zone. We are trying to get this fixed in Longhorn ... on getting this blocking on by default in XP SP2 but blocking these types of navigations is an app compatibility issue on many sites." I usually don't get any response from Microsoft when I report security holes to them; I think I only got a response this time because I used my employer's premier support contract with Microsoft.

    Another cross-browser security hole I found (bugzilla.mozilla.org 162020) got similar responses from each browser maker: fixed in Mozilla 1.7 and Firefox 0.9; no response from Opera; confusing statement from Microsoft mentioning XP SP2. 162020 is an arbitrary code execution hole.

    • I usually don't get any response from Microsoft when I report security holes to them

      You must be reporting them to the wrong place. Unlike other bugs I've tried to report to Microsoft and not even received an acknowledgement for, when I've reported security related bug, I've received a response the same day.

      • When you report security bugs to Microsoft, how do you report them? My methods are in http://www.squarefree.com/archives/000374.html and a comment on the same page.
        • The URL at the top is a wishlist, they probably never look at that, and if they do it is the wrong department. The last comment has the email address I used. They do respond quickly on that.
          • The URL at the top is a wishlist, they probably never look at that, and if they do it is the wrong department.

            I think you're right. But by including a "security" checkbox on the wish form, Microsoft makes it look like they might have received your message.

            The last comment has the email address I used. They do respond quickly on that.

            I wish it had been easier to find that address. http://www.microsoft.com/security/default.mspx doesn't have "report a vulnerability" anywhere. I found that address by
      • The best place to get a response when reporting a security bug is on Bugtraq. :).

        I've tried the "wait for vendor to fix it" method before, and the result was they fixed it in the next major release after a _long_ time, and customers who wanted the prob fixed had to pay to upgrade.
  • This should be on the front page, not hidden back in developers, if only to make blind followers of $MY_ALTERNATIVE_BROWSER realize that they too are vulnerable, and not just MS.

    and now to complete the troll: Slashdot editors never argued that they were fair and just in reporting, so why should this be on the front page?


    The following browsers are not affected:
    * Mozilla Firefox 0.9 for Windows
    * Mozilla Firefox 0.9.1 for Windows
    * Mozilla 1.7 for Windows
    * Mozilla 1.7 for Linux


    interesting. what about 0.9
    • Firefox on Linux is not affected, it won't be on Mac or any other platform. Why do they list Firefox 0.x as affected at the top and then list browsers not affected at the bottom where most people probably won't even get to? Shouldn't the affected browsers say something like 0.x before 0.9?
    • This should be on the front page, not hidden back in developers, if only to make blind followers of $MY_ALTERNATIVE_BROWSER realize that they too are vulnerable, and not just MS.

      The sectioning was probably due to my choice of wording [acm.org] in the headline...

  • Although it's true that this is "working as designed", it does present an interesting exploit scenario. Let's assume you visit evilguy's site, supposed to be a financial portal. From there, a list of links direct you to the (framed) pages of banks where you can run your operations.

    Now, evilguy's site has javascript code running that will detect when one of the interesting frames is available (frames that contain login info). It means that you're trying to log into your account at one of the bank sites. What it does is serve you a facsimile that looks exactly like the original login screen, except this one sends the info to evilguy's site.

    When your login info is in evilguy's database, he just sends it to the bank and replaces the frame again with the content the bank returned. Voila! Successfully executed framejacking to invisibly steal your login info.

    This might be serious.
    • by Anonymous Coward
      yay man in the middle attacks! good point, poster.
    • Well, people have always been using tricks to get you to go to pages like "http://www.paypal-secure-transfer.com" and type in your password by making the page look just like PayPal's. The whole point of SSL is that the pubkey you're encrypting with is supposed to be signed by a trusted CA so that you know there ISN'T a man-in-the-middle attack.

      There's no difference between the scenario the parent describes, and somebody simply mirroring PayPal's front-end while stealing your info on the backend. If the URL
      • Except where you can do this with real sites, without the need to spoof a whole site. If the *real* site uses frames in the design, you can just change that frame, not the whole site. The "link list" I suggested was just to increase the likelihood that the sites in question are opened.
      • Ah, but the key difference is that if you spoof someone else's site, you can't spoof their certificate unless you can somehow get ahold of their private key. With this frames approach, even if the user checks the certificate, it still looks good, and he may think he has a secure, encrypted connection to his bank.

        True that many users don't check certificates, and to those, this will make little difference, but some people do.

  • The report simply says that a frame is global to all browser windows, so if I open a site with a frame named "fraRightWindow" and then click on a link in another window that tragets that frame name it'll change that frame even if the sites are completely unrelated.

    The obvious vulnerability is that the page exploiting this needs to know the frame name.

    If you use dynamic frame names (even just change them statically every day or every few hours) then you have little to worry about.

    Unless, of course,
  • Tabbed Browsing (Score:1, Informative)

    by Anonymous Coward
    I just checked - indeed - works in Netscape 7.1 and doesn't in Firefox 0.9.1. However, it doesn't work anymore in Netscape if you open the page as a tab instead of another window. Somehow tabs don't work very well with frame names, at least in Netscape.
    It's actually implementation issue - for most browsers - letting other pages swap frames in framesets that don't belong to them. Whoever said that frames don't have owners - it's not quite true - frames are hierarchical to some degree, so it's not so difficu

  • The test page did push data to the opened MS window.

    Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7) Gecko/20040629 Firefox/0.9.1

    Nothing to see, move along...


  • I am curious how long this problem has been around.

    I checked and duplicated the problem on Netscape 7.1 and Firefox .8
    However the problem does not exist with Netscape Communicator 4.8 and probably never has since I recall the original Netscape documentation containing information on security that frames could only be changed by frames from the same domain.

    Anyone running IE with the current help file keylogger problem is asking for worse than spoofing.

    Somebody broke something, after the version 4 brows [netscape.com]
  • I just ran their test and it did not work on me. It loaded the page in a new tab instead of the MSN frame. I have Tabbed Browser Extensions installed with nearly everything set to open in a new tab.

    I'm not sure what setting it is. I've done everything but disable the extension and it still opens in a new tab instead of the frame. So looks like they did not do very extensive testing.

    I also tried it on a Windows 98 computer with a fresh install of FireFox 0.9.1 with no extensions installed and it doesn't wo
    • I guess I should Read the Whole Fucking Article next time. I just read down far enough to test the link. I saw at the begining it listed FireFox 0.X....
  • You insensitive clods, my web browser [dotgeek.org] doesn't even have tables, let alone frames.

    It was something Tom Duff wrote at Bell Labs before moving on to Pixar.

  • This affects all browsers I've tried it on. When you click in a "hyperlink" it brings you to a page without asking you specifically if you would like to switch pages. Things to watch out for is the mouse pointer changing to a finger. In fact, if you pointer does change to a finger, you're probably vulnerable. The most shocking aspect is even Lynx is vulnerable to this web bug.
  • To me IE is the vulurability.

Perfection is acheived only on the point of collapse. - C. N. Parkinson

Working...