W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Sandboxed iframes (was Re: Seamless iframes + CSS3 selectors = bad idea)

From: gaz Heyes <gazheyes@gmail.com>
Date: Tue, 8 Dec 2009 03:56:16 +0000
Message-ID: <252dd75b0912071956w5588524dw62b1f984e73c92f0@mail.gmail.com>
To: Maciej Stachowiak <mjs@apple.com>
Cc: Adam Barth <w3c@adambarth.com>, Boris Zbarsky <bzbarsky@mit.edu>, Ian Hickson <ian@hixie.ch>, "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org

Has an anyone raised the issue that sandboxed iframes actually enable
"clickjacking" when frame buster defences are applied?

<iframe sandbox="allow-forms" src="http://twitter.com/login"></iframe>

So here the spec says disable scripts but allow forms, this would render a
javascript frame breaker useless.

Received on Tuesday, 8 December 2009 03:56:59 GMT

This message: [ Message body ]
Next message: Adam Barth: "Re: Sandboxed iframes (was Re: Seamless iframes + CSS3 selectors = bad idea)"
Previous message: gaz Heyes: "Re: Seamless iframes + CSS3 selectors = bad idea"
In reply to: Maciej Stachowiak: "Re: Sandboxed iframes (was Re: Seamless iframes + CSS3 selectors = bad idea)"
Next in thread: Adam Barth: "Re: Sandboxed iframes (was Re: Seamless iframes + CSS3 selectors = bad idea)"
Reply: Adam Barth: "Re: Sandboxed iframes (was Re: Seamless iframes + CSS3 selectors = bad idea)"

Mail actions: [ respond to this message ] [ mail a new topic ]
Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
Help: [ How to use the archives ] [ Search in the archives ]

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT