- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Mon, 05 Jul 2010 17:35:27 -0700
On 7/5/10 12:37 PM, Markus Ernst wrote: > I can't imagine how the information about the computed width and height > can be abused - would you mind giving an example? Sure. For example, you can often use this to detect whether the user is currently logged into the site in the iframe, which is a privacy leak. Depending on the target site, other things that might be exposed this way are things like the number of credit card transactions the user has performed in the last month, the number of phone calls the user has made in the last month... you get the idea. > A possible workaround to security issues could be an element to be set > in the included document, such as a meta tag that contains a comma > separated list of domains that are allowed to include the document, and > also get informations about dimensions and such. Some kind of: > <meta name="allow-embedding" content="whatwg.org, mozilla.com"> How is this different from allowing opt-in into seamless iframes across origins? > Also, if this is a potential danger, should the 2 list paragraphs about > width and height in the part on @seamless be removed at all? As far as I > understand, the effects of @seamless require the iframe source to be > from the same origin as the parent document, thus I think that width and > height of an iframe should be computed independent from @seamless. Else, > the whole page layout is likely to change if the iframe source is > navigated from a same-origin document to one from another origin. Yes, it will. Why is this a problem? > There has been no reason for authors to apply this declaration so far, > but if anyone did, he/she wanted the rendering I suggest. Experience shows this to not be the case. People blindly apply CSS without thinking through the implications as long as the current rendering is "right"; I will bet money there are pages out there that use display:block on iframes just to get linebreaks before/after and will break if the sizing behavior changes. -Boris
Received on Monday, 5 July 2010 17:35:27 UTC