W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: <sird@rckc.at>
Date: Mon, 7 Dec 2009 16:42:25 +0800
Message-ID: <8ba534860912070042l61b62ff6q21eab21242b70d8f@mail.gmail.com>
To: Thomas Roessler <tlr@w3.org>
Cc: Maciej Stachowiak <mjs@apple.com>, Adam Barth <w3c@adambarth.com>, Ian Hickson <ian@hixie.ch>, public-web-security@w3.org
Hi!

Thanks thomas, understood :)

Regarding this problem, I think we can't really fix the CSS3 selectors since
several browsers already implement it, so the thread was about the seamless
iframes on html5.

Could it be possible to NOT parse this selectors inside seamless iframes?

I mean, the frame would parse everything except for selectors that match
text..

That at least wont introduce a new vulnerability on seamless iframes, and I
think is a fair sacrifice (not use *= $= and ^= selectors inside the
seamless iframes) for security.

Greetings!!
-- Eduardo
http://www.sirdarckcat.net/

Sent from Hangzhou, 33, China

On Mon, Dec 7, 2009 at 2:35 AM, Thomas Roessler <tlr@w3.org> wrote:

> On 6 Dec 2009, at 10:22, sird@rckc.at wrote:
>
> I understood only members/invited.experts had a real vote in it..
>
> Even if you're not an invited expert (or member rep) in a WG, public
> comments must be taken seriously. If groups don't do that, fora like this
> list (or explicitly saying that you don't agree to a group's disposition of
> a comment) are fairly useful mechanism to draw attention to problems.
>
> As far as the W3C HTML Working Group is concerned, see also:
>   http://www.w3.org/2007/04/html-ie-faq
>
> Regards,
> --
> Thomas Roessler, W3C  <tlr@w3.org>
>
>
Received on Monday, 7 December 2009 08:43:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT