W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 7 Dec 2009 10:14:38 +0000 (UTC)
To: "sird@rckc.at" <sird@rckc.at>
Cc: Thomas Roessler <tlr@w3.org>, Maciej Stachowiak <mjs@apple.com>, Adam Barth <w3c@adambarth.com>, public-web-security@w3.org
Message-ID: <Pine.LNX.4.62.0912071014060.14026@hixie.dreamhostps.com>
On Mon, 7 Dec 2009, sird@rckc.at wrote:
> 
> Regarding this problem, I think we can't really fix the CSS3 selectors 
> since several browsers already implement it, so the thread was about the 
> seamless iframes on html5.
> 
> Could it be possible to NOT parse this selectors inside seamless 
> iframes?
> 
> I mean, the frame would parse everything except for selectors that match 
> text..
> 
> That at least wont introduce a new vulnerability on seamless iframes, 
> and I think is a fair sacrifice (not use *= $= and ^= selectors inside 
> the seamless iframes) for security.

What is the attack vector with seamless <iframe>s? Didn't the recent 
change address this?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 7 December 2009 10:15:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT