Re: Sandboxed iframes (was Re: Seamless iframes + CSS3 selectors = bad idea) from Maciej Stachowiak on 2009-12-07 (public-web-security@w3.org from December 2009)

From: Maciej Stachowiak <mjs@apple.com>
Date: Mon, 07 Dec 2009 02:40:39 -0800
To: Adam Barth <w3c@adambarth.com>
Cc: "sird@rckc.at" <sird@rckc.at>, Ian Hickson <ian@hixie.ch>, public-web-security@w3.org
Message-id: <FE0BE458-054A-46C4-AD43-11EC1852A0DB@apple.com>

On Dec 6, 2009, at 8:31 AM, Adam Barth wrote:

> On Sun, Dec 6, 2009 at 7:06 AM, sird@rckc.at <sird@rckc.at> wrote:
>> Anyway, maybe I misunderstood what he said, I thought he meant in  
>> chrome it
>> was a new and exclusive origin (different from the parent one) and  
>> my tests
>> sort of confirmed that.
>
> WebKit-based browser (Safari, Chrome, etc) use a unique origin for
> data URLs.  This is out-of-spec with HTML5, but Maciej and other think
> the spec's behavior is a security vulnerability.

I don't think the spec's behavior is a security vulnerability, just  
the way Ian informally described it. The actual spec text appears not  
to be practically implementable (or perhaps it is just missing the  
details that make it implementable and secure).

Regards,
Maciej

Received on Monday, 7 December 2009 10:41:20 UTC