- From: Brad Kemper <brkemper@comcast.net>
- Date: Wed, 20 Feb 2008 07:54:06 -0800
- To: Justin Rogers <justrog@microsoft.com>
- Cc: Bert Bos <bert@w3.org>, "www-style@w3.org" <www-style@w3.org>
Received on Wednesday, 20 February 2008 15:54:46 UTC
On Feb 20, 2008, at 7:01 AM, Justin Rogers wrote: > I apologize in advance if I'm reading too much into the use of auto- > sizing, but... > > Any specification should be very careful when giving the IFRAME > element or any element that renders variable and cross domain > content the ability to auto-size based on the content itself. If > you do this I can now predict based on the final size of the > element the contents of the page in the element. You could call > this a minor cross domain hole, but information disclosure like > this is becoming the new mechanism for targeting users with > convincing phishing attacks. > Couldn't that be solved by not giving the document in the IFRAME JavaScript access to things like the document's or body's clientHeight, offsetHeight, scrollTop, scrollHeight, etc. unless it adhered to the same domain policy? Or (to avoid breakage), providing values for those things that assume a height that was as tall as it needed to be for no scrolling (if not in same domain)?
Received on Wednesday, 20 February 2008 15:54:46 UTC