W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Sandboxed iframes (was Re: Seamless iframes + CSS3 selectors = bad idea)

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 7 Dec 2009 06:05:24 +0000 (UTC)
To: Adam Barth <w3c@adambarth.com>
Cc: Boris Zbarsky <bzbarsky@mit.edu>, Maciej Stachowiak <mjs@apple.com>, "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
Message-ID: <Pine.LNX.4.62.0912070604130.5629@hixie.dreamhostps.com>
On Sun, 6 Dec 2009, Adam Barth wrote:
> 
> In some sense, a site needs to vet all URLs for javascript URLs, but 
> this behavior means that every time you see "javascript:" in an XSS 
> filter, they're probably insecure unless you also see "data:" right next 
> door.  (By the way, I'd imagine data URLs in a@href is a more common XSS 
> hole than iframe@src.)

If you're blacklisting URL schemes, instead of whitelisting URLs you think 
are safe, then you're in all kinds of trouble anyway.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 7 December 2009 06:06:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT