- From: Collin Jackson <w3c@collinjackson.com>
- Date: Mon, 26 May 2008 18:02:05 -0700
On Sun, May 25, 2008 at 12:02 PM, Jon Ferraiolo <jferrai at us.ibm.com> wrote: > I would assume that there are also > security issues with allowing the parent to override the styling of an > embedded iframe because conceivably someone could invoke a bank website > within an iframe and it wouldn't be good if the parent could override some > of the CSS for the bank's website. Similarly, you probably wouldn't want the > parent frame to be able to listen to keystrokes that happen within the child > iframe (e.g., your password). Since the parent can already overlay password fields on top of the sandboxed frame or replace it with a spoofed version, I don't think we should encourage widgets to solicit passwords inside their sandboxed frame if they don't trust their parent. Collin Jackson
Received on Monday, 26 May 2008 18:02:05 UTC