Re: Seamless iframes + CSS3 selectors = bad idea from Maciej Stachowiak on 2009-12-06 (public-web-security@w3.org from December 2009)

From: Maciej Stachowiak <mjs@apple.com>
Date: Sat, 05 Dec 2009 23:06:40 -0800
To: "sird@rckc.at" <sird@rckc.at>
Cc: Ian Hickson <ian@hixie.ch>, public-web-security@w3.org
Message-id: <7454FD93-A7F3-4D2C-AFD4-6B5CC8FC47CA@apple.com>

On Dec 5, 2009, at 10:58 PM, sird@rckc.at wrote:

> iirc sandboxed iframes cant frame.
>
My reading of the spec (confirmed by Hixie) is that sandboxed iframes  
can frame - perhaps they should not be able to.
> in any case sandbox iframes are a joke unless you use data URIs..  
> that should be cross origin anyway
>
Not setting the allow-same-origin flag makes them about as restricted  
as using a data: URI.

  - Maciej

>
>> On Dec 6, 2009 2:55 PM, "Maciej Stachowiak" <mjs@apple.com> wrote:
>>
>> On Dec 5, 2009, at 10:27 PM, Maciej Stachowiak wrote: > > I think  
>> the attack is that you can injec...
>>
>> OK, I thought of a possible real vulnerability. A trusted host page  
>> on the site wants to embed some untrusted user-generated content  
>> with the ability to modify it, so it embeds it, hosted from its own  
>> server, using <iframe sandbox="allow-same-origin">. This should  
>> prevent scripting and plugins, so in theory it seems safe. But the  
>> untrusted content could embed a further iframe with the seamless  
>> flag, embedding an arbitrary document from the hosting service. It  
>> can then use CSS selectors to probe for data in that document.
>>
>> Regards,
>> Maciej
>>
>

Received on Sunday, 6 December 2009 07:07:14 UTC