Re: Security Recommendations around https://www.w3.org/TR/2010/WD-html5-20100624/the-iframe-element.html from Jason Tsang on 2019-10-25 (public-html-comments@w3.org from October 2019)

From: Jason Tsang <tsangtmc@gmail.com>
Date: Thu, 24 Oct 2019 23:24:34 -0700
To: "Michael[tm] Smith" <mike@w3.org>
Cc: public-html-comments@w3.org
Message-ID: <CAO4tAOjyLUEfSuKAyJO2VM7kHtBv1y876TWsHDaGLbcur=cw9A@mail.gmail.com>

Thank you Michael, appreciate the pointer and I'll be sure to do that.

On Thu, Oct 24, 2019, 11:16 PM Michael[tm] Smith <mike@w3.org> wrote:

> Jason Tsang <tsangtmc@gmail.com>, 2019-10-24 09:22 -0700:
> > Archived-At: <
> https://www.w3.org/mid/CAO4tAOjFJywBMRKWNHdQS-teh+OLVMbgNbU5Dc3tMZekCTJDRA@mail.gmail.com
> >
> >
> > I noted a security flaw in a implementation scenario in iframe sandboxes
> > https://www.w3.org/TR/2010/WD-html5-20100624/the-iframe-element.html
> > which does not currently appear to be documented as a risk.
> > More info:
> >
> https://blog.analyzenothing.com/2019/10/html-sandboxes-restrictions-bypass-forms.html
> >
> > Could i recommend adding in a warning into the documentation about such a
> > risk?
>
> You should raise an issue at https://github.com/whatwg/html/issues/new
>
> --
> Michael[tm] Smith https://people.w3.org/mike
>

Received on Friday, 25 October 2019 06:25:33 UTC