W3C home > Mailing lists > Public > public-html@w3.org > January 2010

Re: XSS risk from iframe@doc?

From: Ian Hickson <ian@hixie.ch>
Date: Sun, 17 Jan 2010 21:13:52 +0000 (UTC)
To: Lachlan Hunt <lachlan.hunt@lachy.id.au>
Cc: Adam Barth <w3c@adambarth.com>, HTML WG <public-html@w3.org>
Message-ID: <Pine.LNX.4.64.1001172112270.3759@ps20323.dreamhostps.com>
On Sun, 17 Jan 2010, Lachlan Hunt wrote:
> Ian Hickson wrote:
> > doc="" is only meant to be used with sandbox="". I can just make it 
> > not do anything at all if sandbox="" isn't specified, if that helps.
> 
> Why not just make it easier and say that doc="" is always processed as 
> if sandbox="" were specified, even if the author didn't specific it 
> explicitly? Requiring the author to always remember to type <iframe 
> doc="..." sandbox=""> just seems redundant, unless they want to specify 
> some of the sandbox allow-* values.

With security stuff, I'm very wary of making anything implicit, because 
implication is a common source of bugs. It's far easier to reason about 
things when they are "works"/"doesn't work"-type features with very 
explicit switches (like a sandbox attribute being present).

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Sunday, 17 January 2010 21:15:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:58 GMT