Security Recommendations around https://www.w3.org/TR/2010/WD-html5-20100624/the-iframe-element.html from Jason Tsang on 2019-10-24 (public-html-comments@w3.org from October 2019)

From: Jason Tsang <tsangtmc@gmail.com>
Date: Thu, 24 Oct 2019 09:22:05 -0700
To: public-html-comments@w3.org
Message-ID: <CAO4tAOjFJywBMRKWNHdQS-teh+OLVMbgNbU5Dc3tMZekCTJDRA@mail.gmail.com>

Hello,
I noted a security flaw in a implementation scenario in iframe sandboxes
https://www.w3.org/TR/2010/WD-html5-20100624/the-iframe-element.html
which does not currently appear to be documented as a risk.
More info:
https://blog.analyzenothing.com/2019/10/html-sandboxes-restrictions-bypass-forms.html

Could i recommend adding in a warning into the documentation about such a
risk?
Thanks

Received on Thursday, 24 October 2019 20:24:00 UTC