[whatwg] The <iframe> element and sandboxing ideas

Collin Jackson w3c at collinjackson.com
Mon May 26 18:02:05 PDT 2008

On Sun, May 25, 2008 at 12:02 PM, Jon Ferraiolo <jferrai at us.ibm.com> wrote:
> I would assume that there are also
> security issues with allowing the parent to override the styling of an
> embedded iframe because conceivably someone could invoke a bank website
> within an iframe and it wouldn't be good if the parent could override some
> of the CSS for the bank's website. Similarly, you probably wouldn't want the
> parent frame to be able to listen to keystrokes that happen within the child
> iframe (e.g., your password).

Since the parent can already overlay password fields on top of the
sandboxed frame or replace it with a spoofed version, I don't think we
should encourage widgets to solicit passwords inside their sandboxed
frame if they don't trust their parent.

Collin Jackson

More information about the whatwg mailing list