Re: Sandboxed iframes (was Re: Seamless iframes + CSS3 selectors = bad idea) from gaz Heyes on 2009-12-08 (public-web-security@w3.org from December 2009)

From: gaz Heyes <gazheyes@gmail.com>
Date: Tue, 8 Dec 2009 03:56:16 +0000
To: Maciej Stachowiak <mjs@apple.com>
Cc: Adam Barth <w3c@adambarth.com>, Boris Zbarsky <bzbarsky@mit.edu>, Ian Hickson <ian@hixie.ch>, "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
Message-ID: <252dd75b0912071956w5588524dw62b1f984e73c92f0@mail.gmail.com>

Has an anyone raised the issue that sandboxed iframes actually enable
"clickjacking" when frame buster defences are applied?

<iframe sandbox="allow-forms" src="http://twitter.com/login"></iframe>

So here the spec says disable scripts but allow forms, this would render a
javascript frame breaker useless.

Received on Tuesday, 8 December 2009 03:56:59 UTC