[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Maciej Stachowiak mjs at apple.com
Fri Sep 26 10:04:17 PDT 2008 

On Sep 26, 2008, at 3:22 AM, Michal Zalewski wrote:

> On Thu, 25 Sep 2008, Maciej Stachowiak wrote:
>
>>> I meant, corner of the container, rather than actual document  
>>> rendered within.
>>
>> Then can't you work around the restriction by scrolling the  
>> contents inside the iframe and sizing it carefully? (One way to  
>> scroll an iframe to a desired position is to load a URL containing  
>> an anchor link
>
> This was addressed in the original proposal (anchors and within- 
> IFRAME focus() calls). There should be no other useful ways to  
> scroll different-domain IFRAMEs, I'm hoping (window.scroll* methods  
> are mercifully restricted in such a case in most browsers).
>
>> For example, iGoogle widgets would become disabled if scrolled  
>> partially off the top of the page under your proposal. And even if  
>> scrolled back into view, would remain disabled for a second. With  
>> possibly a jarring visual effect, or alternately, no visual  
>> indication that they are disabled. Hard to decide which is worse.
>
> As per the other thread, this is easily preventable (and a clause  
> for UI action optimizations is already in the original proposal). I  
> don't see this as a sufficient argument to dismiss the proposal,  
> quite frankly - it does not indicate a fatal flaw, but rather a  
> minor issue that is rather easily worked around.

Maybe I didn't read very well, but I don't see how the "clause for UI  
action optimizations" would prevent what I described. Could you spell  
it out for me please? It seems to me that the embedded iframes for  
iGoogle gadgets (or similar) will indeed be disabled when scrolled  
partly off the top of the page (or maybe dead to UI events only when  
you bring the mouse near them, which amounts to the same thing). I am  
also not sure what you mean by "the other thread".

Regards,
Maciej

P.S. I cited this example because it is a Google property, but I am  
sure there are many others like it. We can't expect content authors to  
immediately fix them all.

More information about the whatwg mailing list