- From: Ian Hickson <ian@hixie.ch>
- Date: Sun, 6 Dec 2009 09:25:34 +0000 (UTC)
- To: "sird@rckc.at" <sird@rckc.at>
- Cc: Adam Barth <w3c@adambarth.com>, Maciej Stachowiak <mjs@apple.com>, public-web-security@w3.org
On Sun, 6 Dec 2009, sird@rckc.at wrote: > > yeah, that's exactly what I was talking about: > http://sla.ckers.org/forum/read.php?2,28617 > > So... <iframe seamless> is useless if you are already specifing the > sandbox directives via an HTTP header right? <iframe sandbox src=""> is intended primarily for cross-origin embedding, not same-origin. For same-origin, we'll probably add <iframe sandbox doc="">, with inline source. > And if developers start using the example that is given in the spec, > then a lot of people (devs often just follow documentation without > thinking twice) will miss the fact that attackers can inject a link > instead of an iframe. I'll add some text mentioning this case. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Sunday, 6 December 2009 09:26:02 UTC