W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: gaz Heyes <gazheyes@gmail.com>
Date: Thu, 10 Dec 2009 08:04:01 +0000
Message-ID: <252dd75b0912100004o2430f342rbb2128a5b8fcf91@mail.gmail.com>
To: Mary Ellen Zurko <mzurko@us.ibm.com>
Cc: "Adam Barth <w3c" <w3c@adambarth.com>, public-web-security@w3.org
2009/12/9 Mary Ellen Zurko <mzurko@us.ibm.com>

> In theory I've got no problem with that. In practice, I'm darned if I can
> figure out how to ensure that a gazillion web app developers "only" develop
> using features that are "adequately safe". And I can't tell in this
> discussion how I'll do that. But I realize that's a tangent. Just throwing
> it out in case there's an easy answer that someone will toss me, and I will
> catch in my mouth, and trot off happily with...
>

I think the best solution would be a sandbox feature of CSS. Something
like:-
<style type="text/css" sandbox="element">
@policy {
   selectors:= $ ^;
   url:same-origin;
   visited:same-origin;
}
body { /* this fails because the element reference becomes #element body */
}
img { /* reference automatically becomes #element img*/
  position:absolute;
  left:-100px;
  top:-100px;
  /* These coordinates are only relevant to the "element"  you cannot move
outside of the element boundaries */
}
</style>
<div id="element"
style="position:absolute;left:100px;top:100px;width:100px;height:100px;">
<img>
</div>
Received on Thursday, 10 December 2009 08:04:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT