Re: Security Recommendations around https://www.w3.org/TR/2010/WD-html5-20100624/the-iframe-element.html from Michael[tm] Smith on 2019-10-25 (public-html-comments@w3.org from October 2019)

From: Michael[tm] Smith <mike@w3.org>
Date: Fri, 25 Oct 2019 15:16:41 +0900
To: Jason Tsang <tsangtmc@gmail.com>
Cc: public-html-comments@w3.org
Message-ID: <20191025061641.GM4182@sideshowbarker.net>

Jason Tsang <tsangtmc@gmail.com>, 2019-10-24 09:22 -0700:
> Archived-At: <https://www.w3.org/mid/CAO4tAOjFJywBMRKWNHdQS-teh+OLVMbgNbU5Dc3tMZekCTJDRA@mail.gmail.com>
> 
> I noted a security flaw in a implementation scenario in iframe sandboxes
> https://www.w3.org/TR/2010/WD-html5-20100624/the-iframe-element.html
> which does not currently appear to be documented as a risk.
> More info:
> https://blog.analyzenothing.com/2019/10/html-sandboxes-restrictions-bypass-forms.html
> 
> Could i recommend adding in a warning into the documentation about such a
> risk?

You should raise an issue at https://github.com/whatwg/html/issues/new

-- 
Michael[tm] Smith https://people.w3.org/mike

Received on Friday, 25 October 2019 06:16:47 UTC