W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Sandboxed iframes (was Re: Seamless iframes + CSS3 selectors = bad idea)

From: Maciej Stachowiak <mjs@apple.com>
Date: Mon, 07 Dec 2009 02:40:39 -0800
Cc: "sird@rckc.at" <sird@rckc.at>, Ian Hickson <ian@hixie.ch>, public-web-security@w3.org
Message-id: <FE0BE458-054A-46C4-AD43-11EC1852A0DB@apple.com>
To: Adam Barth <w3c@adambarth.com>

On Dec 6, 2009, at 8:31 AM, Adam Barth wrote:

> On Sun, Dec 6, 2009 at 7:06 AM, sird@rckc.at <sird@rckc.at> wrote:
>> Anyway, maybe I misunderstood what he said, I thought he meant in  
>> chrome it
>> was a new and exclusive origin (different from the parent one) and  
>> my tests
>> sort of confirmed that.
>
> WebKit-based browser (Safari, Chrome, etc) use a unique origin for
> data URLs.  This is out-of-spec with HTML5, but Maciej and other think
> the spec's behavior is a security vulnerability.

I don't think the spec's behavior is a security vulnerability, just  
the way Ian informally described it. The actual spec text appears not  
to be practically implementable (or perhaps it is just missing the  
details that make it implementable and secure).

Regards,
Maciej
Received on Monday, 7 December 2009 10:41:20 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT