W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

webappsec-ISSUE-55 (input-protection and seamless iframes): How to handle seamless flag for input-protection policies? [UI Security]

From: Web Application Security Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Thu, 31 Oct 2013 18:19:41 +0000
Message-Id: <E1VbwqL-0003RR-HV@stuart.w3.org>
To: public-webappsec@w3.org
webappsec-ISSUE-55 (input-protection and seamless iframes): How to handle seamless flag for input-protection policies? [UI Security]

http://www.w3.org/2011/webappsec/track/issues/55

Raised by: Brad Hill
On product: UI Security

Should we prohibit displaying content with an input-protection policy in a seamless iframe?  Because CSS gets cascaded into such a frame, it arguably already has no UI integrity from it's parent - but seamless also already requires that the parent be same-origin.

Should an input-protection policy be treated as "frame-options 'deny'" when a resource is embedded with the seamless flag?  

Or should we allow it, because the embedder must be same-origin?  If yes, should we cascade input-protection from the embedding parent (including selectors) or attempt to continue to enforce it as-specified?
Received on Thursday, 31 October 2013 18:19:42 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC