[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Michal Zalewski lcamtuf at dione.cc
Tue Sep 30 02:33:30 PDT 2008

On Tue, 30 Sep 2008, Robert O'Callahan wrote:

> If I understand correctly, with Michal's option 3, those sites would 
> also stop working as soon as the user scrolled down in the framed page 
> (so that the top-left of the framed page is out of view).

Nope, the restriction applies strictly to the top-left corner of the 
*container* getting scrolled of the screen - not that of the content 
displayed within that container. In all the cases outlined by Ian, the 
IFRAMEs stay on screen, it's just that the content gets scrolled.

[ The only thing that #3 tries to prevent is having a cross-domain IFRAME
   positioned with CSS at negative screen offsets or with negative margins
   / padding, then carefully set IFRAME height and width, to effectively
   "crop" whatever is left displayed on screen. This is a weaker, but still
   plausible variant of the attack. ]


More information about the whatwg mailing list