W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: <sird@rckc.at>
Date: Mon, 7 Dec 2009 16:43:08 +0800
Message-ID: <8ba534860912070043t25cefc7agef617d16305b6192@mail.gmail.com>
To: Thomas Roessler <tlr@w3.org>
Cc: Maciej Stachowiak <mjs@apple.com>, Adam Barth <w3c@adambarth.com>, Ian Hickson <ian@hixie.ch>, public-web-security@w3.org
When I say parse I mean apply.. or what ever term is used to apply a
property to an element.

-- Eduardo
http://www.sirdarckcat.net/

Sent from Hangzhou, 33, China

On Mon, Dec 7, 2009 at 4:42 PM, sird@rckc.at <sird@rckc.at> wrote:

> Hi!
>
> Thanks thomas, understood :)
>
> Regarding this problem, I think we can't really fix the CSS3 selectors
> since several browsers already implement it, so the thread was about the
> seamless iframes on html5.
>
> Could it be possible to NOT parse this selectors inside seamless iframes?
>
> I mean, the frame would parse everything except for selectors that match
> text..
>
> That at least wont introduce a new vulnerability on seamless iframes, and I
> think is a fair sacrifice (not use *= $= and ^= selectors inside the
> seamless iframes) for security.
>
>
> Greetings!!
> -- Eduardo
> http://www.sirdarckcat.net/
>
> Sent from Hangzhou, 33, China
>
> On Mon, Dec 7, 2009 at 2:35 AM, Thomas Roessler <tlr@w3.org> wrote:
>
>> On 6 Dec 2009, at 10:22, sird@rckc.at wrote:
>>
>> I understood only members/invited.experts had a real vote in it..
>>
>> Even if you're not an invited expert (or member rep) in a WG, public
>> comments must be taken seriously. If groups don't do that, fora like this
>> list (or explicitly saying that you don't agree to a group's disposition of
>> a comment) are fairly useful mechanism to draw attention to problems.
>>
>> As far as the W3C HTML Working Group is concerned, see also:
>>   http://www.w3.org/2007/04/html-ie-faq
>>
>> Regards,
>> --
>> Thomas Roessler, W3C  <tlr@w3.org>
>>
>>
>
Received on Monday, 7 December 2009 08:44:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT