- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 3 Dec 2014 15:52:36 +0100
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: WHATWG <whatwg@lists.whatwg.org>
On Tue, Dec 2, 2014 at 6:04 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > Actually, sandboxing iframes of your own site is one of the main sandbox use > cases: it allows limited user upload of content without creating security > holes, in theory. No it is not, only if you use it in combination with srcdoc you are safe. Otherwise an attacker could trick the user to navigate directly to the file and steal cookies or origin-bound data. (The solution here is to finally fix the clipboard stuff. I believe both Gecko and Chrome have similar plans to address this case judging from their mailing lists. It would be good if those discussions moved into a spec space.) -- https://annevankesteren.nl/
Received on Wednesday, 3 December 2014 14:53:07 UTC