W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2016

iFrame access

From: Craig Francis <craig.francis@gmail.com>
Date: Sun, 20 Mar 2016 21:06:01 +0000
Message-Id: <389A9F82-C2E4-48E7-AA5A-D56ABA728070@gmail.com>
To: WebAppSec WG <public-webappsec@w3.org>
Hi,

As part of my never ending quest to banish untrusted third party content into iframes...

Would it be possible to introduce a new token to the `sandbox` attribute, so that it allows the iframed document (cross domain) to read the Text Content of the parent document?

Something like:

	<iframe sandbox="allow-parent-text-content-read ..."></iframe>

This would allow Ad networks to put their unsafe/untrusted/messy JavaScript into a sandboxed iframe, and for them to have the very limited permission of being able to read the `.textContent` of the parent DOM - which is something they insist on for "contextual adverts".

We can then block the third party from having full read/write access to the whole page.

This will stop them seeing anything that isn't the text on the page (e.g. CSRF tokens, or values in input fields):

	<form action="/profile" id="profile">
		<label for="name">Name</label>
		<input type="text" id="name" value="Craig" />
		<input type="hidden" name="csrf" value="kr3aN1oY" />
	</form>

	<script>
		console.log(document.getElementById('profile').textContent); // Output "Name"
	</script>

Craig



https://www.w3.org/TR/2011/WD-html5-20110525/the-iframe-element.html#attr-iframe-sandbox <https://www.w3.org/TR/2011/WD-html5-20110525/the-iframe-element.html#attr-iframe-sandbox>

https://github.com/craigfrancis/security/tree/master/third-party-content <https://github.com/craigfrancis/security/tree/master/third-party-content>
Received on Sunday, 20 March 2016 21:06:32 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:18 UTC