[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Michal Zalewski lcamtuf at dione.cc
Fri Sep 26 03:22:06 PDT 2008

On Thu, 25 Sep 2008, Maciej Stachowiak wrote:

>> I meant, corner of the container, rather than actual document rendered 
>> within.
> Then can't you work around the restriction by scrolling the contents 
> inside the iframe and sizing it carefully? (One way to scroll an iframe 
> to a desired position is to load a URL containing an anchor link

This was addressed in the original proposal (anchors and within-IFRAME 
focus() calls). There should be no other useful ways to scroll 
different-domain IFRAMEs, I'm hoping (window.scroll* methods are 
mercifully restricted in such a case in most browsers).

> For example, iGoogle widgets would become disabled if scrolled partially 
> off the top of the page under your proposal. And even if scrolled back 
> into view, would remain disabled for a second. With possibly a jarring 
> visual effect, or alternately, no visual indication that they are 
> disabled. Hard to decide which is worse.

As per the other thread, this is easily preventable (and a clause for UI 
action optimizations is already in the original proposal). I don't see 
this as a sufficient argument to dismiss the proposal, quite frankly - it 
does not indicate a fatal flaw, but rather a minor issue that is rather 
easily worked around.


More information about the whatwg mailing list