[whatwg] Iframe dimensions from Boris Zbarsky on 2010-07-06 (public-whatwg-archive@w3.org from July 2010)

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Mon, 05 Jul 2010 17:35:27 -0700
Message-ID: <4C327A4F.2030703@mit.edu>

On 7/5/10 12:37 PM, Markus Ernst wrote:
> I can't imagine how the information about the computed width and height
> can be abused - would you mind giving an example?

Sure.  For example, you can often use this to detect whether the user is 
currently logged into the site in the iframe, which is a privacy leak.

Depending on the target site, other things that might be exposed this 
way are things like the number of credit card transactions the user has 
performed in the last month, the number of phone calls the user has made 
in the last month...  you get the idea.

> A possible workaround to security issues could be an element to be set
> in the included document, such as a meta tag that contains a comma
> separated list of domains that are allowed to include the document, and
> also get informations about dimensions and such. Some kind of:
> <meta name="allow-embedding" content="whatwg.org, mozilla.com">

How is this different from allowing opt-in into seamless iframes across 
origins?

> Also, if this is a potential danger, should the 2 list paragraphs about
> width and height in the part on @seamless be removed at all? As far as I
> understand, the effects of @seamless require the iframe source to be
> from the same origin as the parent document, thus I think that width and
> height of an iframe should be computed independent from @seamless. Else,
> the whole page layout is likely to change if the iframe source is
> navigated from a same-origin document to one from another origin.

Yes, it will.  Why is this a problem?

> There has been no reason for authors to apply this declaration so far,
> but if anyone did, he/she wanted the rendering I suggest.

Experience shows this to not be the case.  People blindly apply CSS 
without thinking through the implications as long as the current 
rendering is "right"; I will bet money there are pages out there that 
use display:block on iframes just to get linebreaks before/after and 
will break if the sizing behavior changes.

-Boris

Received on Monday, 5 July 2010 17:35:27 UTC