[html5] r4018 - [e] (0) Mention the mostly hypothetical security risk of <iframe marginwidth>

whatwg at whatwg.org whatwg at whatwg.org
Mon Sep 28 18:13:50 PDT 2009 

Author: ianh
Date: 2009-09-28 18:13:49 -0700 (Mon, 28 Sep 2009)
New Revision: 4018

Modified:
   index
   source
Log:
[e] (0) Mention the mostly hypothetical security risk of <iframe marginwidth>

Modified: index
===================================================================
--- index	2009-09-29 01:01:05 UTC (rev 4017)
+++ index	2009-09-29 01:13:49 UTC (rev 4018)
@@ -71690,8 +71690,6 @@
   default value of 8px is expected to be used for that property
   instead.</p>
 
-  <!-- XXX so, uh, about the cross-site-styling hole below... -->
-
   <table><thead><tr><th>Property
      <th>Source
    <tbody><tr><td rowspan=3>'margin-top'
@@ -71719,6 +71717,14 @@
   <code><a href=#frame>frame</a></code> or <code><a href=#the-iframe-element>iframe</a></code> element. Otherwise, there
   is no <a href=#container-frame-element>container frame element</a>.</p>
 
+  <p class=warning>The above requirements imply that a page can
+  change the margins of another page (including one from another
+  <a href=#origin>origin</a>) using, for example, an
+  <code><a href=#the-iframe-element>iframe</a></code>. This is potentially a security risk, as it
+  might in some cases allow an attack to contrive a situation in which
+  a page is rendered not as the author intended, possibly for the
+  purposes of phishing or otherwise misleading the user.</p>
+
   <hr><p>If the <code>Document</code> has a <a href=#root-element>root element</a>, and
   the <code>Document</code>'s <a href=#browsing-context>browsing context</a> is a
   <a href=#nested-browsing-context>nested browsing context</a>, and the <a href=#browsing-context-container>browsing context

Modified: source
===================================================================
--- source	2009-09-29 01:01:05 UTC (rev 4017)
+++ source	2009-09-29 01:13:49 UTC (rev 4018)
@@ -85140,8 +85140,6 @@
   default value of 8px is expected to be used for that property
   instead.</p>
 
-  <!-- XXX so, uh, about the cross-site-styling hole below... -->
-
   <table>
    <thead>
     <tr>
@@ -85190,6 +85188,14 @@
   <code>frame</code> or <code>iframe</code> element. Otherwise, there
   is no <span>container frame element</span>.</p>
 
+  <p class="warning">The above requirements imply that a page can
+  change the margins of another page (including one from another
+  <span>origin</span>) using, for example, an
+  <code>iframe</code>. This is potentially a security risk, as it
+  might in some cases allow an attack to contrive a situation in which
+  a page is rendered not as the author intended, possibly for the
+  purposes of phishing or otherwise misleading the user.</p>
+
   <hr>
 
   <p>If the <code>Document</code> has a <span>root element</span>, and

More information about the Commit-Watchers mailing list