[whatwg] Dealing with UI redress vulnerabilities inherent to the current web
Michal Zalewski
lcamtuf at dione.cc
Fri Sep 26 03:22:06 PDT 2008
On Thu, 25 Sep 2008, Maciej Stachowiak wrote:
>> I meant, corner of the container, rather than actual document rendered
>> within.
>
> Then can't you work around the restriction by scrolling the contents
> inside the iframe and sizing it carefully? (One way to scroll an iframe
> to a desired position is to load a URL containing an anchor link
This was addressed in the original proposal (anchors and within-IFRAME
focus() calls). There should be no other useful ways to scroll
different-domain IFRAMEs, I'm hoping (window.scroll* methods are
mercifully restricted in such a case in most browsers).
> For example, iGoogle widgets would become disabled if scrolled partially
> off the top of the page under your proposal. And even if scrolled back
> into view, would remain disabled for a second. With possibly a jarring
> visual effect, or alternately, no visual indication that they are
> disabled. Hard to decide which is worse.
As per the other thread, this is easily preventable (and a clause for UI
action optimizations is already in the original proposal). I don't see
this as a sufficient argument to dismiss the proposal, quite frankly - it
does not indicate a fatal flaw, but rather a minor issue that is rather
easily worked around.
Cheers,
/mz
More information about the whatwg
mailing list