hixie: Mention the mostly hypothetical security risk of <iframe marginwidth> (whatwg r4018)

hixie: Mention the mostly hypothetical security risk of <iframe
marginwidth> (whatwg r4018)

http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.3179&r2=1.3180&f=h
http://html5.org/tools/web-apps-tracker?from=4017&to=4018

===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.3179
retrieving revision 1.3180
diff -u -d -r1.3179 -r1.3180
--- Overview.html 29 Sep 2009 00:52:49 -0000 1.3179
+++ Overview.html 29 Sep 2009 01:05:34 -0000 1.3180
@@ -65311,8 +65311,6 @@
   default value of 8px is expected to be used for that property
   instead.</p>
 
-  <!-- XXX so, uh, about the cross-site-styling hole below... -->
-
   <table><thead><tr><th>Property
      <th>Source
    <tbody><tr><td rowspan="3">'margin-top'
@@ -65340,6 +65338,14 @@
   <code><a href="#frame">frame</a></code> or <code><a href="#the-iframe-element">iframe</a></code> element. Otherwise, there
   is no <a href="#container-frame-element">container frame element</a>.</p>
 
+  <p class="warning">The above requirements imply that a page can
+  change the margins of another page (including one from another
+  <a href="#origin">origin</a>) using, for example, an
+  <code><a href="#the-iframe-element">iframe</a></code>. This is potentially a security risk, as it
+  might in some cases allow an attack to contrive a situation in which
+  a page is rendered not as the author intended, possibly for the
+  purposes of phishing or otherwise misleading the user.</p>
+
   <hr><p>If the <code>Document</code> has a <a href="#root-element">root element</a>, and
   the <code>Document</code>'s <a href="#browsing-context">browsing context</a> is a
   <a href="#nested-browsing-context">nested browsing context</a>, and the <a href="#browsing-context-container">browsing context

Received on Tuesday, 29 September 2009 01:06:30 UTC