W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: <sird@rckc.at>
Date: Sun, 6 Dec 2009 14:58:36 +0800
Message-ID: <8ba534860912052258t23a14a99xb4ede984d9ec6f0d@mail.gmail.com>
To: Maciej Stachowiak <mjs@apple.com>
Cc: sird@rckc.at, Ian Hickson <ian@hixie.ch>, public-web-security@w3.org
iirc sandboxed iframes cant frame.

in any case sandbox iframes are a joke unless you use data URIs.. that
should be cross origin anyway

On Dec 6, 2009 2:55 PM, "Maciej Stachowiak" <mjs@apple.com> wrote:

On Dec 5, 2009, at 10:27 PM, Maciej Stachowiak wrote: > > I think the attack
is that you can injec...
OK, I thought of a possible real vulnerability. A trusted host page on the
site wants to embed some untrusted user-generated content with the ability
to modify it, so it embeds it, hosted from its own server, using <iframe
sandbox="allow-same-origin">. This should prevent scripting and plugins, so
in theory it seems safe. But the untrusted content could embed a further
iframe with the seamless flag, embedding an arbitrary document from the
hosting service. It can then use CSS selectors to probe for data in that
document.

Regards,
Maciej
Received on Sunday, 6 December 2009 06:59:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT