- From: Ian Hickson <ian@hixie.ch>
- Date: Mon, 7 Dec 2009 10:14:38 +0000 (UTC)
- To: "sird@rckc.at" <sird@rckc.at>
- Cc: Thomas Roessler <tlr@w3.org>, Maciej Stachowiak <mjs@apple.com>, Adam Barth <w3c@adambarth.com>, public-web-security@w3.org
On Mon, 7 Dec 2009, sird@rckc.at wrote: > > Regarding this problem, I think we can't really fix the CSS3 selectors > since several browsers already implement it, so the thread was about the > seamless iframes on html5. > > Could it be possible to NOT parse this selectors inside seamless > iframes? > > I mean, the frame would parse everything except for selectors that match > text.. > > That at least wont introduce a new vulnerability on seamless iframes, > and I think is a fair sacrifice (not use *= $= and ^= selectors inside > the seamless iframes) for security. What is the attack vector with seamless <iframe>s? Didn't the recent change address this? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 7 December 2009 10:15:19 UTC