W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2016

Fixing third party content

From: Craig Francis <craig@craigfrancis.co.uk>
Date: Fri, 11 Mar 2016 12:17:33 +0000
Message-Id: <837589F0-33F0-49A0-889B-EB0538093B7B@craigfrancis.co.uk>
To: WebAppSec WG <public-webappsec@w3.org>
Hi,

Just thinking about third party content, and how it is typically given *full* access to a webpage with a `script` tag, which means it can do pretty much anything it likes to the page (not good).

A possible solution is to use an `iframe` - but we can't at the moment, as they are too restrictive.

While GitHub is probably not the best place for this, I've written up some ideas that might fix the main issues (basically taking the current features we have, and tweaking them a bit)...

https://github.com/craigfrancis/security/tree/master/third-party-content <https://github.com/craigfrancis/security/tree/master/third-party-content>

Thoughts?

Craig
Received on Friday, 11 March 2016 12:18:04 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:18 UTC