Re: Sandboxed iframes (was Re: Seamless iframes + CSS3 selectors = bad idea) from sird@rckc.at on 2009-12-06 (public-web-security@w3.org from December 2009)

From: <sird@rckc.at>
Date: Sun, 6 Dec 2009 16:09:53 +0800
To: Adam Barth <w3c@adambarth.com>
Cc: Maciej Stachowiak <mjs@apple.com>, Ian Hickson <ian@hixie.ch>, public-web-security@w3.org
Message-ID: <8ba534860912060009h3c5d07e4s5285319934cde6cb@mail.gmail.com>

yeah, that's exactly what I was talking about:
http://sla.ckers.org/forum/read.php?2,28617

So... <iframe seamless> is useless if you are already specifing the sandbox
directives via an HTTP header right?

And if developers start using the example that is given in the spec, then a
lot of people (devs often just follow documentation without thinking
twice) will miss the fact that attackers can inject a link instead of an
iframe.

Greetings!!
-- Eduardo
http://www.sirdarckcat.net/

On Sun, Dec 6, 2009 at 3:52 PM, Adam Barth <w3c@adambarth.com> wrote:

> On Sat, Dec 5, 2009 at 11:10 PM, sird@rckc.at <sird@rckc.at> wrote:
> > anyway i will start another thread regarding sandbox iframes... i think
> they
> > are useless.. but maybe its a misunderstanding.
>
> What's problematic about sandboxed iframes?  There is a problem if the
> attacker navigates the user to the contents of the iframe outside of
> the sandbox, but I suspect we'll eventually solve that by letting
> sites specify the sandbox directives in an HTTP header (a la
> https://wiki.mozilla.org/Security/CSP/Sandbox).
>
> Is there something else you had in mind?  If you'd like to experiment,
> the latest WebKit nightlies should support the feature.
>
> Adam
>

Received on Sunday, 6 December 2009 08:10:53 UTC