W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Sandboxed iframes (was Re: Seamless iframes + CSS3 selectors = bad idea)

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 5 Dec 2009 23:52:52 -0800
Message-ID: <7789133a0912052352r3fed4f6i28086ae61b81b10c@mail.gmail.com>
To: "sird@rckc.at" <sird@rckc.at>
Cc: Maciej Stachowiak <mjs@apple.com>, Ian Hickson <ian@hixie.ch>, public-web-security@w3.org
On Sat, Dec 5, 2009 at 11:10 PM, sird@rckc.at <sird@rckc.at> wrote:
> anyway i will start another thread regarding sandbox iframes... i think they
> are useless.. but maybe its a misunderstanding.

What's problematic about sandboxed iframes?  There is a problem if the
attacker navigates the user to the contents of the iframe outside of
the sandbox, but I suspect we'll eventually solve that by letting
sites specify the sandbox directives in an HTTP header (a la
https://wiki.mozilla.org/Security/CSP/Sandbox).

Is there something else you had in mind?  If you'd like to experiment,
the latest WebKit nightlies should support the feature.

Adam
Received on Sunday, 6 December 2009 07:53:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT