[whatwg] some thoughts on sandboxed IFRAMEs

Aryeh Gregor Simetrical+w3c at gmail.com
Mon Jan 25 09:39:04 PST 2010


On Mon, Jan 25, 2010 at 1:29 AM, Adam Barth <whatwg at adambarth.com> wrote:
> That depends what information the attacker encodes in the host name.
> Recall that we're imaging the attacker gets to run JavaScript within
> the sandbox

If we're assuming that, then yes, it's probably hopeless.  But are we
assuming that?  The given use-case was webmail -- that would be
expected to disable scripts in the sandbox, no?

> The point is that stopping exfiltration is a losing battle that we
> shouldn't bother to play.

Even if scripting is disabled?


More information about the whatwg mailing list