Re: Sandboxed iframes (was Re: Seamless iframes + CSS3 selectors = bad idea)

On Sun, 6 Dec 2009, sird@rckc.at wrote:
>
> yeah, that's exactly what I was talking about: 
> http://sla.ckers.org/forum/read.php?2,28617
> 
> So... <iframe seamless> is useless if you are already specifing the 
> sandbox directives via an HTTP header right?

<iframe sandbox src=""> is intended primarily for cross-origin embedding, 
not same-origin. For same-origin, we'll probably add <iframe sandbox 
doc="">, with inline source.


> And if developers start using the example that is given in the spec, 
> then a lot of people (devs often just follow documentation without 
> thinking twice) will miss the fact that attackers can inject a link 
> instead of an iframe.

I'll add some text mentioning this case.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Sunday, 6 December 2009 09:26:02 UTC