W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Sandboxed iframes (was Re: Seamless iframes + CSS3 selectors = bad idea)

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 7 Dec 2009 10:45:06 +0000 (UTC)
To: Maciej Stachowiak <mjs@apple.com>
Cc: Adam Barth <w3c@adambarth.com>, public-web-security@w3.org
Message-ID: <Pine.LNX.4.62.0912071043330.14026@hixie.dreamhostps.com>
On Mon, 7 Dec 2009, Maciej Stachowiak wrote:
> On Dec 6, 2009, at 8:31 AM, Adam Barth wrote:
> > On Sun, Dec 6, 2009 at 7:06 AM, sird@rckc.at <sird@rckc.at> wrote:
> > > Anyway, maybe I misunderstood what he said, I thought he meant in 
> > > chrome it was a new and exclusive origin (different from the parent 
> > > one) and my tests sort of confirmed that.
> > 
> > WebKit-based browser (Safari, Chrome, etc) use a unique origin for 
> > data URLs.  This is out-of-spec with HTML5, but Maciej and other think 
> > the spec's behavior is a security vulnerability.
> 
> I don't think the spec's behavior is a security vulnerability, just the 
> way Ian informally described it. The actual spec text appears not to be 
> practically implementable (or perhaps it is just missing the details 
> that make it implementable and secure).

It's supposed to be what Gecko does, but apparently it was written before 
a lot of things like the navigation algorithm were nailed down. I'll 
update it to be written more sanely (I've saved this thread to my "html5" 
folder to be addressed in detail).

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 7 December 2009 10:45:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT