- From: Collin Jackson <w3c@collinjackson.com>
- Date: Mon, 26 May 2008 18:02:05 -0700
- To: "Jon Ferraiolo" <jferrai@us.ibm.com>
- Cc: "Ian Hickson" <ian@hixie.ch>, "Martin Atkins" <mart@degeneration.co.uk>, HTMLWG <public-html@w3.org>, public-webapi@w3.org, public-webapi-request@w3.org, whatwg <whatwg@whatwg.org>
On Sun, May 25, 2008 at 12:02 PM, Jon Ferraiolo <jferrai@us.ibm.com> wrote: > I would assume that there are also > security issues with allowing the parent to override the styling of an > embedded iframe because conceivably someone could invoke a bank website > within an iframe and it wouldn't be good if the parent could override some > of the CSS for the bank's website. Similarly, you probably wouldn't want the > parent frame to be able to listen to keystrokes that happen within the child > iframe (e.g., your password). Since the parent can already overlay password fields on top of the sandboxed frame or replace it with a spoofed version, I don't think we should encourage widgets to solicit passwords inside their sandboxed frame if they don't trust their parent. Collin Jackson
Received on Tuesday, 27 May 2008 09:44:53 UTC