W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2016

Re: iFrame access

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Sun, 20 Mar 2016 14:22:10 -0700
Message-ID: <CAPfop_3tbFOkYh8qw9uduWvHT9D7w_nA5neH_Lfh0ge2egKuNQ@mail.gmail.com>
To: Craig Francis <craig.francis@gmail.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
I think there would be significant push back against introducing another
synchronous cross origin primitive. But, I am not a browser engineer. Any
reason postmesaage doesn't work? Maybe we can try a d fix those
limitations? You can always fake a parentTextContent variable backed by
postmesaage and updated async. This also gives the app finer control.
On Mar 20, 2016 5:08 PM, "Craig Francis" <craig.francis@gmail.com> wrote:

> Hi,
>
> As part of my never ending quest to banish untrusted third party content
> into iframes...
>
> Would it be possible to introduce a new token to the `sandbox` attribute,
> so that it allows the iframed document (cross domain) to read the Text
> Content of the parent document?
>
> Something like:
>
> <iframe sandbox="allow-parent-text-content-read ..."></iframe>
>
> This would allow Ad networks to put their unsafe/untrusted/messy
> JavaScript into a sandboxed iframe, and for them to have the very limited
> permission of being able to read the `.textContent` of the parent DOM -
> which is something they insist on for "contextual adverts".
>
> We can then block the third party from having full read/write access to
> the whole page.
>
> This will stop them seeing anything that isn't the text on the page (e.g.
> CSRF tokens, or values in input fields):
>
> <form action="/profile" id="profile">
> <label for="name">Name</label>
> <input type="text" id="name" value="Craig" />
> <input type="hidden" name="csrf" value="kr3aN1oY" />
> </form>
>
> <script>
> console.log(document.getElementById('profile').textContent); // Output
> "Name"
> </script>
>
> Craig
>
>
>
>
> https://www.w3.org/TR/2011/WD-html5-20110525/the-iframe-element.html#attr-iframe-sandbox
>
> https://github.com/craigfrancis/security/tree/master/third-party-content
>
>
Received on Sunday, 20 March 2016 21:22:40 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:18 UTC