- From: Robert O'Callahan <robert@ocallahan.org>
- Date: Fri, 26 Sep 2008 11:39:43 +1200
On Fri, Sep 26, 2008 at 10:23 AM, Michal Zalewski <lcamtuf at dione.cc> wrote: > I meant, corner of the container, rather than actual document rendered > within. If deals strictly with the frame beginning outside the current > viewport to hide some of its contents, but leave small portions of the UI > exposed to misdirected clicks. Doing the same check for bottom right is very > much possible, although does not seem to thwart any particularly plausible > attacks. Seems like this will create a really bad user experience. The user scrolling around in the outer document will make IFRAMEs in it mysteriously become enabled or disabled. Jesse Ruderman suggested this in 2002, more or less, and I didn't like then, and I don't like it any more now. Anyway, this option 3) will require extension to deal with opacity:0 and SVG <filter> attacks. That's probably not hard to do, but it's a warning sign that it might not be very robust as the Web evolves. It also needs to treat size changes to the IFRAME as decloaking requiring a UI input lockout. In fact, pretty much any change that makes a lot more of the iframe be exposed needs to be detected, including stuff like sudden CSS transform rescaling... Ugh. Rob -- "He was pierced for our transgressions, he was crushed for our iniquities; the punishment that brought us peace was upon him, and by his wounds we are healed. We all, like sheep, have gone astray, each of us has turned to his own way; and the LORD has laid on him the iniquity of us all." [Isaiah 53:5-6] -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080926/c7e48cf1/attachment.htm>
Received on Thursday, 25 September 2008 16:39:43 UTC