[whatwg] Dealing with UI redress vulnerabilities inherent to the current web
Michal Zalewski
lcamtuf at dione.cc
Tue Sep 30 02:33:30 PDT 2008
On Tue, 30 Sep 2008, Robert O'Callahan wrote:
> If I understand correctly, with Michal's option 3, those sites would
> also stop working as soon as the user scrolled down in the framed page
> (so that the top-left of the framed page is out of view).
Nope, the restriction applies strictly to the top-left corner of the
*container* getting scrolled of the screen - not that of the content
displayed within that container. In all the cases outlined by Ian, the
IFRAMEs stay on screen, it's just that the content gets scrolled.
[ The only thing that #3 tries to prevent is having a cross-domain IFRAME
positioned with CSS at negative screen offsets or with negative margins
/ padding, then carefully set IFRAME height and width, to effectively
"crop" whatever is left displayed on screen. This is a weaker, but still
plausible variant of the attack. ]
/mz
More information about the whatwg
mailing list