W3C home > Mailing lists > Public > public-css-archive@w3.org > December 2018

Re: [csswg-drafts] hostile iframes (#3360)

From: Florian Rivoal via GitHub <sysbot+gh@w3.org>
Date: Mon, 03 Dec 2018 07:42:06 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-443616377-1543822915-sysbot+gh@w3.org>
---

Migrated from https://github.com/WICG/spatial-navigation/issues/58#issuecomment-416872008
Originally created by @frivoal on *Wed, 29 Aug 2018 08:35:26 GMT*

---
@annevk with the possible exception of `window.navigate()`, I don't see what spatnav APIs can do that the `.focus()` method couldn't. It can influence where the focus goes, but within a single document, authors are already free to move it wherever.

For `window.navigate()`, I suppose that it would be possible, knowing the layout of an other site, to put that site in an iframe, use `.focus()` to move the focus in the embedder to a focusable element that is near particular interesting click target in the embeddee, and then use `window.navigate()` to get that element focused. However, It only gets the element focused, it does not click/activate it.

I don't believe that merely focusing an element is a security vulnerability, but maybe I just lack imagination.

If we do want to curtail this, we could do it with 2 steps:
1. navigating towards an iframe always focuses the iframe, rather than its content. This is already the case if the iframe is scrollable, but we could make non scrollable iframes focusable as well.
2. unlike manual navigation, `window.navigate()` cannot move the focus from an iframe to its content, and is a noop (or throws an exception) if you try.

That would limit the usefulness of `window.navigate()` in general, and in particular make it insufficient to drive the test suite.

-- 
GitHub Notification of comment by frivoal
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/3360#issuecomment-443616377 using your GitHub account
Received on Monday, 3 December 2018 07:42:09 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 06:41:40 UTC