W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2010

[whatwg] some thoughts on sandboxed IFRAMEs

From: Aryeh Gregor <Simetrical+w3c@gmail.com>
Date: Mon, 25 Jan 2010 12:39:04 -0500
Message-ID: <7c2a12e21001250939x72017b63s1deb449511ebcec4@mail.gmail.com>
On Mon, Jan 25, 2010 at 1:29 AM, Adam Barth <whatwg at adambarth.com> wrote:
> That depends what information the attacker encodes in the host name.
> Recall that we're imaging the attacker gets to run JavaScript within
> the sandbox

If we're assuming that, then yes, it's probably hopeless.  But are we
assuming that?  The given use-case was webmail -- that would be
expected to disable scripts in the sandbox, no?

> The point is that stopping exfiltration is a losing battle that we
> shouldn't bother to play.

Even if scripting is disabled?
Received on Monday, 25 January 2010 09:39:04 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:20 UTC