- From: poot <cvsmail@w3.org>
- Date: Tue, 29 Sep 2009 10:05:54 +0900 (JST)
- To: public-html-diffs@w3.org
hixie: Mention the mostly hypothetical security risk of <iframe
marginwidth> (whatwg r4018)
http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.3179&r2=1.3180&f=h
http://html5.org/tools/web-apps-tracker?from=4017&to=4018
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.3179
retrieving revision 1.3180
diff -u -d -r1.3179 -r1.3180
--- Overview.html 29 Sep 2009 00:52:49 -0000 1.3179
+++ Overview.html 29 Sep 2009 01:05:34 -0000 1.3180
@@ -65311,8 +65311,6 @@
default value of 8px is expected to be used for that property
instead.</p>
- <!-- XXX so, uh, about the cross-site-styling hole below... -->
-
<table><thead><tr><th>Property
<th>Source
<tbody><tr><td rowspan="3">'margin-top'
@@ -65340,6 +65338,14 @@
<code><a href="#frame">frame</a></code> or <code><a href="#the-iframe-element">iframe</a></code> element. Otherwise, there
is no <a href="#container-frame-element">container frame element</a>.</p>
+ <p class="warning">The above requirements imply that a page can
+ change the margins of another page (including one from another
+ <a href="#origin">origin</a>) using, for example, an
+ <code><a href="#the-iframe-element">iframe</a></code>. This is potentially a security risk, as it
+ might in some cases allow an attack to contrive a situation in which
+ a page is rendered not as the author intended, possibly for the
+ purposes of phishing or otherwise misleading the user.</p>
+
<hr><p>If the <code>Document</code> has a <a href="#root-element">root element</a>, and
the <code>Document</code>'s <a href="#browsing-context">browsing context</a> is a
<a href="#nested-browsing-context">nested browsing context</a>, and the <a href="#browsing-context-container">browsing context
Received on Tuesday, 29 September 2009 01:06:30 UTC