W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: gaz Heyes <gazheyes@gmail.com>
Date: Thu, 10 Dec 2009 08:04:01 +0000
Message-ID: <252dd75b0912100004o2430f342rbb2128a5b8fcf91@mail.gmail.com>
To: Mary Ellen Zurko <mzurko@us.ibm.com>
Cc: "Adam Barth <w3c" <w3c@adambarth.com>, public-web-security@w3.org
2009/12/9 Mary Ellen Zurko <mzurko@us.ibm.com>

> In theory I've got no problem with that. In practice, I'm darned if I can
> figure out how to ensure that a gazillion web app developers "only" develop
> using features that are "adequately safe". And I can't tell in this
> discussion how I'll do that. But I realize that's a tangent. Just throwing
> it out in case there's an easy answer that someone will toss me, and I will
> catch in my mouth, and trot off happily with...

I think the best solution would be a sandbox feature of CSS. Something
<style type="text/css" sandbox="element">
@policy {
   selectors:= $ ^;
body { /* this fails because the element reference becomes #element body */
img { /* reference automatically becomes #element img*/
  /* These coordinates are only relevant to the "element"  you cannot move
outside of the element boundaries */
<div id="element"
Received on Thursday, 10 December 2009 08:04:41 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:23 UTC