W3C home > Mailing lists > Public > public-css-archive@w3.org > December 2018

Re: [csswg-drafts] hostile iframes (#3360)

From: Florian Rivoal via GitHub <sysbot+gh@w3.org>
Date: Mon, 03 Dec 2018 07:42:06 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-443616375-1543822915-sysbot+gh@w3.org>

Migrated from https://github.com/WICG/spatial-navigation/issues/58#issuecomment-437228150
Originally created by @jihyerish on *Fri, 09 Nov 2018 02:28:15 GMT*

I agree with the feature policy is a good approach to solve the security issue in spatial navigation.
By default, the focus can move to the iframe elements which are the same-origin.
But for the iframe with `spatial-navigation` feature is given to `*` for the `allow` attribute (Feature Policy API), the focus can move inside the cross-origin iframe elements.

Detailed approach for the feature policy would be as below:


### Default policy: spatial-navigation 'self'

### Feature-Policy HTTP header
A page can declare the spatial navigation feature in its HTTP headers as follows:

Feature policy: spatial-navigation 'self'
It means that only same-origin iframe elements are allowed for the spatial navigation.

### iframe `allow` attribute

The feature can be specified for a single iframe element using allow attribute as below:
<iframe src="https://example.com..." allow="spatial-navigation 'none'"></iframe>
This will block the spatial navigation feature for the top-level and nested iframe elements.

GitHub Notification of comment by frivoal
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/3360#issuecomment-443616375 using your GitHub account
Received on Monday, 3 December 2018 07:42:16 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 06:41:40 UTC