W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Sandboxed iframes (was Re: Seamless iframes + CSS3 selectors = bad idea)

From: gaz Heyes <gazheyes@gmail.com>
Date: Tue, 8 Dec 2009 03:56:16 +0000
Message-ID: <252dd75b0912071956w5588524dw62b1f984e73c92f0@mail.gmail.com>
To: Maciej Stachowiak <mjs@apple.com>
Cc: Adam Barth <w3c@adambarth.com>, Boris Zbarsky <bzbarsky@mit.edu>, Ian Hickson <ian@hixie.ch>, "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
Has an anyone raised the issue that sandboxed iframes actually enable
"clickjacking" when frame buster defences are applied?

<iframe sandbox="allow-forms" src="http://twitter.com/login"></iframe>

So here the spec says disable scripts but allow forms, this would render a
javascript frame breaker useless.
Received on Tuesday, 8 December 2009 03:56:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT