- From: Robert O'Callahan <robert@ocallahan.org>
- Date: Wed, 1 Oct 2008 00:23:59 +1300
On Tue, Sep 30, 2008 at 10:33 PM, Michal Zalewski <lcamtuf at dione.cc> wrote: > On Tue, 30 Sep 2008, Robert O'Callahan wrote: > > If I understand correctly, with Michal's option 3, those sites would also >> stop working as soon as the user scrolled down in the framed page (so that >> the top-left of the framed page is out of view). >> > > Nope, the restriction applies strictly to the top-left corner of the > *container* getting scrolled of the screen - not that of the content > displayed within that container. In all the cases outlined by Ian, the > IFRAMEs stay on screen, it's just that the content gets scrolled. I don't think that's secure. The outer page can set the IFRAME's URL to contain a #xyz fragment identifier, scrolling the 'xyz' element into view for any element with id 'xyz'; for many pages, this could allow the outer page great flexibility in scrolling the framed content to a desired position. That gives you the same visual effect as moving the top-left of the container off the screen (especially if you add "scrolling=no" to the IFRAME so scrollbars are suppressed), so it should be treated the same way. I suppose you could handle that by disabling input to the IFRAME while its URL has a fragment identifier. But that doesn't work because AJAXy pages like to store state in the fragment identifier. So you need to disable input to the IFRAME while its URL has a fragment identifier that was set by the outer page. Ugh. Rob -- "He was pierced for our transgressions, he was crushed for our iniquities; the punishment that brought us peace was upon him, and by his wounds we are healed. We all, like sheep, have gone astray, each of us has turned to his own way; and the LORD has laid on him the iniquity of us all." [Isaiah 53:5-6] -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20081001/47fb2a25/attachment.htm>
Received on Tuesday, 30 September 2008 04:23:59 UTC