W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: gaz Heyes <gazheyes@gmail.com>
Date: Tue, 8 Dec 2009 09:35:17 +0000
Message-ID: <252dd75b0912080135x1fb0c03cpedbe408943de7c7a@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Daniel Glazman <daniel@glazman.org>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
2009/12/8 Adam Barth <w3c@adambarth.com>

> That seems to address the proximate issue, but it feel like
> blacklisting.  Are there other related attacks we're not thinking of
> that would make sense to address at the same time?

Well my POC used a dictionary attack to get the value of the first name text
field. There could be information disclosure issues in future. These could
be mitigated by limiting the amount of external requests.
Received on Tuesday, 8 December 2009 09:35:50 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:23 UTC