W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

Re: [powerful features] Secure Contexts and Framed Documents

From: Rich Tibbett <rich.tibbett@gmail.com>
Date: Wed, 13 Jan 2016 19:23:42 +0100
Message-ID: <CALmeN0fWz5hzqL7FUiGNN1C=x6RrwubQ3f1nfb-q76GA9zL=WA@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Wed, Jan 13, 2016 at 6:29 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Wed, Jan 13, 2016 at 6:23 PM, Rich Tibbett <rich.tibbett@gmail.com> wrote:
>> On Wed, Jan 13, 2016 at 6:09 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
>>> On Wed, Jan 13, 2016 at 5:59 PM, Rich Tibbett <rich.tibbett@gmail.com>
>>> wrote:
>>>> Alternatively, could an HTTPS iframe be suitably
>>>> sandboxed from its non-secure parent(s) so it can continue to gain
>>>> access to
>>>> powerful APIs?
>>> No postMessage()? What did you have in mind?
>> Why could browsers not ship a properly secure sandbox and why should that
>> not be proposed in this group / mailing list?
> Hence my questions, what does a suitably/properly secure sandbox mean?

Strawman time...but it means an iframe that could essentially be
considered orphaned and detached from its parent. Having an orphaned
iframe that is, effectively, treated as its own top-level document and
should prevent communication loopholes or any shared state between
itself and a 'detached' parent.

>> So impossible then unless the whole web adopts HTTPS before this ships?
> If the whole web is to embed you, I suppose.

That's not much of a choice at all really: http://www.adtile.me/motion-ads.
Received on Wednesday, 13 January 2016 18:24:33 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:17 UTC