W3C home > Mailing lists > Public > public-html@w3.org > May 2008

Re: The <iframe> element and sandboxing ideas

From: Collin Jackson <w3c@collinjackson.com>
Date: Mon, 26 May 2008 18:02:05 -0700
Message-ID: <986207e70805261802i201fb2fcv88c663b4610c0c32@mail.gmail.com>
To: "Jon Ferraiolo" <jferrai@us.ibm.com>
Cc: "Ian Hickson" <ian@hixie.ch>, "Martin Atkins" <mart@degeneration.co.uk>, HTMLWG <public-html@w3.org>, public-webapi@w3.org, public-webapi-request@w3.org, whatwg <whatwg@whatwg.org>

On Sun, May 25, 2008 at 12:02 PM, Jon Ferraiolo <jferrai@us.ibm.com> wrote:
> I would assume that there are also
> security issues with allowing the parent to override the styling of an
> embedded iframe because conceivably someone could invoke a bank website
> within an iframe and it wouldn't be good if the parent could override some
> of the CSS for the bank's website. Similarly, you probably wouldn't want the
> parent frame to be able to listen to keystrokes that happen within the child
> iframe (e.g., your password).

Since the parent can already overlay password fields on top of the
sandboxed frame or replace it with a spoofed version, I don't think we
should encourage widgets to solicit passwords inside their sandboxed
frame if they don't trust their parent.

Collin Jackson
Received on Tuesday, 27 May 2008 09:44:53 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 29 October 2015 10:15:33 UTC