- From: Michal Zalewski <lcamtuf@dione.cc>
- Date: Tue, 30 Sep 2008 11:33:30 +0200 (CEST)
On Tue, 30 Sep 2008, Robert O'Callahan wrote: > If I understand correctly, with Michal's option 3, those sites would > also stop working as soon as the user scrolled down in the framed page > (so that the top-left of the framed page is out of view). Nope, the restriction applies strictly to the top-left corner of the *container* getting scrolled of the screen - not that of the content displayed within that container. In all the cases outlined by Ian, the IFRAMEs stay on screen, it's just that the content gets scrolled. [ The only thing that #3 tries to prevent is having a cross-domain IFRAME positioned with CSS at negative screen offsets or with negative margins / padding, then carefully set IFRAME height and width, to effectively "crop" whatever is left displayed on screen. This is a weaker, but still plausible variant of the attack. ] /mz
Received on Tuesday, 30 September 2008 02:33:30 UTC