W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2008

[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

From: Michal Zalewski <lcamtuf@dione.cc>
Date: Fri, 26 Sep 2008 12:22:06 +0200 (CEST)
Message-ID: <Pine.LNX.4.64.0809261216280.17847@dione.cc>
On Thu, 25 Sep 2008, Maciej Stachowiak wrote:

>> I meant, corner of the container, rather than actual document rendered 
>> within.
>
> Then can't you work around the restriction by scrolling the contents 
> inside the iframe and sizing it carefully? (One way to scroll an iframe 
> to a desired position is to load a URL containing an anchor link

This was addressed in the original proposal (anchors and within-IFRAME 
focus() calls). There should be no other useful ways to scroll 
different-domain IFRAMEs, I'm hoping (window.scroll* methods are 
mercifully restricted in such a case in most browsers).

> For example, iGoogle widgets would become disabled if scrolled partially 
> off the top of the page under your proposal. And even if scrolled back 
> into view, would remain disabled for a second. With possibly a jarring 
> visual effect, or alternately, no visual indication that they are 
> disabled. Hard to decide which is worse.

As per the other thread, this is easily preventable (and a clause for UI 
action optimizations is already in the original proposal). I don't see 
this as a sufficient argument to dismiss the proposal, quite frankly - it 
does not indicate a fatal flaw, but rather a minor issue that is rather 
easily worked around.

Cheers,
/mz
Received on Friday, 26 September 2008 03:22:06 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:05 UTC