Re: iFrame access from Chris Palmer on 2016-03-28 (public-webappsec@w3.org from March 2016)

From: Chris Palmer <palmer@google.com>
Date: Mon, 28 Mar 2016 12:39:52 -0700
To: Craig Francis <craig.francis@gmail.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CAOuvq21bxhEhqynD9KY0u8umi73viXiodtEUqf+zKMwrv3EdXA@mail.gmail.com>

I'm not a huge fan of letting cross-origin iframes get access to the
textContent of any element in the embedder's DOM. It's potentially a
privacy and security nightmare. For example, what if public content is
blended in with private content in the embedder's DOM? The embedee could
drive around looking for it. Not cool.

And, yes, another synchronous API is a bummer.

I'd much rather have the embedder explicitly pass the relevant text to the
embedee by some means, either postMessage, an iframe element attribute, or
URL query parameters.

Yes, it requires ad tech developers to do a little work. But, if they want
to get paid, they have to do a little work. And the heat is on them now to
stop egregiously violating people's privacy and security on the web. The
good news is, they are starting to see that:
http://www.iab.com/adopting-encryption-the-need-for-https/.

Received on Monday, 28 March 2016 19:40:21 UTC