Sandboxed iframes (was Re: Seamless iframes + CSS3 selectors = bad idea) from Adam Barth on 2009-12-06 (public-web-security@w3.org from December 2009)

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 5 Dec 2009 23:52:52 -0800
To: "sird@rckc.at" <sird@rckc.at>
Cc: Maciej Stachowiak <mjs@apple.com>, Ian Hickson <ian@hixie.ch>, public-web-security@w3.org
Message-ID: <7789133a0912052352r3fed4f6i28086ae61b81b10c@mail.gmail.com>

On Sat, Dec 5, 2009 at 11:10 PM, sird@rckc.at <sird@rckc.at> wrote:
> anyway i will start another thread regarding sandbox iframes... i think they
> are useless.. but maybe its a misunderstanding.

What's problematic about sandboxed iframes?  There is a problem if the
attacker navigates the user to the contents of the iframe outside of
the sandbox, but I suspect we'll eventually solve that by letting
sites specify the sandbox directives in an HTTP header (a la
https://wiki.mozilla.org/Security/CSP/Sandbox).

Is there something else you had in mind?  If you'd like to experiment,
the latest WebKit nightlies should support the feature.

Adam

Received on Sunday, 6 December 2009 07:53:44 UTC