W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Sandboxed iframes (was Re: Seamless iframes + CSS3 selectors = bad idea)

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 5 Dec 2009 23:52:52 -0800
Message-ID: <7789133a0912052352r3fed4f6i28086ae61b81b10c@mail.gmail.com>
To: "sird@rckc.at" <sird@rckc.at>
Cc: Maciej Stachowiak <mjs@apple.com>, Ian Hickson <ian@hixie.ch>, public-web-security@w3.org
On Sat, Dec 5, 2009 at 11:10 PM, sird@rckc.at <sird@rckc.at> wrote:
> anyway i will start another thread regarding sandbox iframes... i think they
> are useless.. but maybe its a misunderstanding.

What's problematic about sandboxed iframes?  There is a problem if the
attacker navigates the user to the contents of the iframe outside of
the sandbox, but I suspect we'll eventually solve that by letting
sites specify the sandbox directives in an HTTP header (a la

Is there something else you had in mind?  If you'd like to experiment,
the latest WebKit nightlies should support the feature.

Received on Sunday, 6 December 2009 07:53:44 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:17 UTC