W3C home > Mailing lists > Public > public-html@w3.org > June 2010

Re: text/sandboxed-html

From: Maciej Stachowiak <mjs@apple.com>
Date: Thu, 10 Jun 2010 12:08:00 -0700
Cc: Artur Adib <arturadib@gmail.com>, robert@ocallahan.org, public-html@w3.org, Leonard Rosenthol <lrosenth@adobe.com>, Ian Hickson <ian@hixie.ch>
Message-id: <C11775FA-A8B3-498A-B553-B8C6B12453CB@apple.com>
To: Adam Barth <w3c@adambarth.com>

On Jun 4, 2010, at 10:00 AM, Adam Barth wrote:

> On Thu, Jun 3, 2010 at 2:55 PM, Artur Adib <arturadib@gmail.com> wrote:
>> On Thu, Jun 3, 2010 at 5:37 PM, Robert O'Callahan <robert@ocallahan.org> wrote:
>>> Could an attacker use a custom Flash object to force top-level navigation?
>> 
>> Good question.
>> 
>> Adam- Do you happen to know if that's possible in WebKit?  I mean, I
>> don't even know if Flash has access to 'top.location', but if it does,
>> will @sandbox protect it?
> 
> You can run an experiment and see, but, in general, there's no way for
> the browser to contain what plug-ins are able to do.  If navigating
> the top frame doesn't work today, that's an accident of implementation
> and not a security property, which means you can probably find some
> tricky way of asking Flash to navigate the top frame that works.

I'm almost certain it can be done. The plugin API has a specific way to request navigation of a chosen frame that does not go through JavaScript. I believe Flash exposes it to ActionScript. I suspect no one bothers to use it for framebusting currently since JavaScript is easier, but it would surely become more popular if <iframe sandbox> becomes popular for framebusting.

Regards,
Maciej
Received on Thursday, 10 June 2010 19:08:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:17:09 GMT