W3C home > Mailing lists > Public > public-html@w3.org > January 2010

Re: XSS risk from iframe@doc?

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 18 Jan 2010 02:00:18 -0800
Message-ID: <7789133a1001180200x5d122748sa3098cfed22d65ca@mail.gmail.com>
To: Maciej Stachowiak <mjs@apple.com>
Cc: Ian Hickson <ian@hixie.ch>, HTML WG <public-html@w3.org>
On Mon, Jan 18, 2010 at 12:36 AM, Maciej Stachowiak <mjs@apple.com> wrote:
> I'm not saying Adam's concern rules the feature out, but we should think about whether there is a way to tighten it up or find a different way to do things. Making it solely an IDL attribute and not a content/markup attribute is one way to avoid script injection risks, but may not serve the use case equally well. (In fact, it's not any harder to document.write or use innerHTML on the content document, so a script-only feature might not be worth doing).

Keep in mind that you most often want to use this feature without the
allow-origin directive, which means you won't be able to reach into
the frame to call document.write or set innerHTML.

Adam
Received on Monday, 18 January 2010 10:01:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:58 GMT