Re: Seamless iframes + CSS3 selectors = bad idea from sird@rckc.at on 2009-12-06 (public-web-security@w3.org from December 2009)

From: <sird@rckc.at>
Date: Sun, 6 Dec 2009 14:58:36 +0800
To: Maciej Stachowiak <mjs@apple.com>
Cc: sird@rckc.at, Ian Hickson <ian@hixie.ch>, public-web-security@w3.org
Message-ID: <8ba534860912052258t23a14a99xb4ede984d9ec6f0d@mail.gmail.com>

iirc sandboxed iframes cant frame.

in any case sandbox iframes are a joke unless you use data URIs.. that
should be cross origin anyway

On Dec 6, 2009 2:55 PM, "Maciej Stachowiak" <mjs@apple.com> wrote:

On Dec 5, 2009, at 10:27 PM, Maciej Stachowiak wrote: > > I think the attack
is that you can injec...
OK, I thought of a possible real vulnerability. A trusted host page on the
site wants to embed some untrusted user-generated content with the ability
to modify it, so it embeds it, hosted from its own server, using <iframe
sandbox="allow-same-origin">. This should prevent scripting and plugins, so
in theory it seems safe. But the untrusted content could embed a further
iframe with the seamless flag, embedding an arbitrary document from the
hosting service. It can then use CSS selectors to probe for data in that
document.

Regards,
Maciej

Received on Sunday, 6 December 2009 06:59:17 UTC