W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2016

Re: iFrame access

From: Chris Palmer <palmer@google.com>
Date: Mon, 28 Mar 2016 12:39:52 -0700
Message-ID: <CAOuvq21bxhEhqynD9KY0u8umi73viXiodtEUqf+zKMwrv3EdXA@mail.gmail.com>
To: Craig Francis <craig.francis@gmail.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
I'm not a huge fan of letting cross-origin iframes get access to the
textContent of any element in the embedder's DOM. It's potentially a
privacy and security nightmare. For example, what if public content is
blended in with private content in the embedder's DOM? The embedee could
drive around looking for it. Not cool.

And, yes, another synchronous API is a bummer.

I'd much rather have the embedder explicitly pass the relevant text to the
embedee by some means, either postMessage, an iframe element attribute, or
URL query parameters.

Yes, it requires ad tech developers to do a little work. But, if they want
to get paid, they have to do a little work. And the heat is on them now to
stop egregiously violating people's privacy and security on the web. The
good news is, they are starting to see that:
http://www.iab.com/adopting-encryption-the-need-for-https/.
Received on Monday, 28 March 2016 19:40:21 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:18 UTC