W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: XSS mitigation in browsers

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Fri, 21 Jan 2011 13:05:30 -0800
Message-ID: <AANLkTiku67ovPx1GmjXCk=OxpWG-PT_8g3YAWuxgMhWb@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: Giorgio Maone <g.maone@informaction.com>, Daniel Veditz <dveditz@mozilla.com>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org, Lucas Adamski <ladamski@mozilla.com>
> Yeah that's the problem as it stands today but I'm proposing a different
> behaviour for iframes in general when the x-frames-option header is applied
> to allow framing. Moving a parent div would count as dynamic styling of the
> iframe. The iframe could there stay where it is or be removed from display.

Even if you bake the frame into the rendered document, the window can
be scrolled up or down (window.scrollTo) to take it off screen or
bring it back. Making "like" buttons stay in place as the user
legitimately scrolls a page of Youtube comments is probably a no go
;-)

Plus, even if you solve this, it gets even more complicated if you
have a non-XFO frame that has a "restricted" XFO frame inside - and
when that non-XFO frame is resized; or if the browser window itself is
resized, which is permitted by default in some U-As.

Cheers,
/mz
Received on Friday, 21 January 2011 21:06:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 21 January 2011 21:06:25 GMT