W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Sandboxed iframes (was Re: Seamless iframes + CSS3 selectors = bad idea)

From: Ian Hickson <ian@hixie.ch>
Date: Sun, 6 Dec 2009 09:25:34 +0000 (UTC)
To: "sird@rckc.at" <sird@rckc.at>
Cc: Adam Barth <w3c@adambarth.com>, Maciej Stachowiak <mjs@apple.com>, public-web-security@w3.org
Message-ID: <Pine.LNX.4.62.0912060922550.5629@hixie.dreamhostps.com>
On Sun, 6 Dec 2009, sird@rckc.at wrote:
>
> yeah, that's exactly what I was talking about: 
> http://sla.ckers.org/forum/read.php?2,28617
> 
> So... <iframe seamless> is useless if you are already specifing the 
> sandbox directives via an HTTP header right?

<iframe sandbox src=""> is intended primarily for cross-origin embedding, 
not same-origin. For same-origin, we'll probably add <iframe sandbox 
doc="">, with inline source.


> And if developers start using the example that is given in the spec, 
> then a lot of people (devs often just follow documentation without 
> thinking twice) will miss the fact that attackers can inject a link 
> instead of an iframe.

I'll add some text mentioning this case.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Sunday, 6 December 2009 09:26:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT