W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: XSS mitigation in browsers

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Fri, 21 Jan 2011 01:35:15 -0800
Message-ID: <AANLkTin08Bb=dB1QZNq_sU1SXxvnVRyjJE5-iYzps16e@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: Giorgio Maone <g.maone@informaction.com>, Daniel Veditz <dveditz@mozilla.com>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org, Lucas Adamski <ladamski@mozilla.com>
> <http://www.businessinfo.co.uk/labs/test_files/iframe-indicator.png>
> So when some content is intended to be included a web site the
> X-Frame-Options:Allow, then the iframe indicator shows and prevents the
> iframe from being resized to very small dimensions and it should always
> appear on top of any content and within the screen area.

What if there are several overlapping frames that meet this criteria
all at the same time? There is only one "top" :-)

Also, what if a frame is moved underneath the cursor just milliseconds
before the user clicks something - in which case, the tooltip appears
too late to allow for any meaningful reaction?

What if the document is larger than window size? Can the frame be
rendered partly off-screen, so that only several pixes are still left
on the screen?

I can also imagine this colliding in nasty ways with things such as
drop-down lists or menus - you don't want "like" buttons to be drawn
on top of them :-(

Received on Friday, 21 January 2011 09:36:08 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:18 UTC