webappsec-ISSUE-55 (input-protection and seamless iframes): How to handle seamless flag for input-protection policies? [UI Security] from Web Application Security Working Group Issue Tracker on 2013-10-31 (public-webappsec@w3.org from October 2013)

From: Web Application Security Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Thu, 31 Oct 2013 18:19:41 +0000
To: public-webappsec@w3.org
Message-Id: <E1VbwqL-0003RR-HV@stuart.w3.org>

webappsec-ISSUE-55 (input-protection and seamless iframes): How to handle seamless flag for input-protection policies? [UI Security]

http://www.w3.org/2011/webappsec/track/issues/55

Raised by: Brad Hill
On product: UI Security

Should we prohibit displaying content with an input-protection policy in a seamless iframe?  Because CSS gets cascaded into such a frame, it arguably already has no UI integrity from it's parent - but seamless also already requires that the parent be same-origin.

Should an input-protection policy be treated as "frame-options 'deny'" when a resource is embedded with the seamless flag?  

Or should we allow it, because the embedder must be same-origin?  If yes, should we cascade input-protection from the embedding parent (including selectors) or attempt to continue to enforce it as-specified?

Received on Thursday, 31 October 2013 18:19:42 UTC