W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: <sird@rckc.at>
Date: Sun, 6 Dec 2009 17:22:38 +0800
Message-ID: <8ba534860912060122s236a3d32y7b9366ce9516a9ab@mail.gmail.com>
To: Maciej Stachowiak <mjs@apple.com>
Cc: Adam Barth <w3c@adambarth.com>, sird@rckc.at, Ian Hickson <ian@hixie.ch>, public-web-security@w3.org
hi!

I understood only members/invited.experts had a real vote in it.. anyway

wrt autofocus it enables xss vectors without user interaction (Mario
Heiderich/Gareth Heyes).

On Dec 6, 2009 4:27 PM, "Maciej Stachowiak" <mjs@apple.com> wrote:

On Dec 6, 2009, at 12:16 AM, sird@rckc.at wrote: > Hi! > > Yeah.. seamless
iframes just enhance th...
I see.

> I tried to persued giorgio maone to lock this selectors on NoScript, but
that had a performance ...
The team that reviews W3C specs consists of anyone who wants to review. And
you can probably convince implementors not to implement things that are
insecure by explaining how they are insecure. You have to keep in mind
though that implementors will trade off potential attack surface against
usefulness - so anything that's not a blatant exploit probably my still get
implemented if it's really useful. Otherwise we would never add anything to
the Web platform.

BTW attributes on closing tags are ignored (they are processed solely to
allow the right parse errors to be emitted), and autofocus emulates
something that you can do with script and which many sites already do, so
it's not clear to me how either creates any vulnerabilities.

Regards,
Maciej
Received on Sunday, 6 December 2009 09:23:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT