webappsec-ISSUE-55 (input-protection and seamless iframes): How to handle seamless flag for input-protection policies? [UI Security]

webappsec-ISSUE-55 (input-protection and seamless iframes): How to handle seamless flag for input-protection policies? [UI Security]

http://www.w3.org/2011/webappsec/track/issues/55

Raised by: Brad Hill
On product: UI Security

Should we prohibit displaying content with an input-protection policy in a seamless iframe?  Because CSS gets cascaded into such a frame, it arguably already has no UI integrity from it's parent - but seamless also already requires that the parent be same-origin.

Should an input-protection policy be treated as "frame-options 'deny'" when a resource is embedded with the seamless flag?  

Or should we allow it, because the embedder must be same-origin?  If yes, should we cascade input-protection from the embedding parent (including selectors) or attempt to continue to enforce it as-specified?

Received on Thursday, 31 October 2013 18:19:42 UTC