W3C home > Mailing lists > Public > www-style@w3.org > January 2001

Re: windowed elements and z-index

From: Clover Andrew <aclover@1VALUE.com>
Date: Tue, 2 Jan 2001 15:32:32 +0100
Message-ID: <5F78AA062F6AD311A59000508B4AAF6D092C05@PCS02>
To: "'www-style@w3.org'" <www-style@w3.org>
> It is. IFRAMEs work properly now

Interesting. Has there been a discussion of security implications
of this?

Is there anything to prevent a hostile page[1] from displaying
an apparently authentic target site[2] in an <iframe> with overlaid
content belonging to the hostile site?

This would seem to open the door to attacks where form contents are
submitted somewhere other than where the user would expect, in
particular.

[1] esp. a typosquatter or owner of the same name on a different
    TLD, so the URL discrepency is less likely to be noticed.
[2] worse than a simple impersonation attack in that the content
    does come from the target site, and is accessed using the user's
    privileges, cf. client-side trojan.

-- 
Andrew Clover
Technical Support
1VALUE.com AG
Received on Tuesday, 2 January 2001 09:39:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 27 April 2009 13:54:07 GMT