[whatwg] Prevent a document from being manipulated by a "top" document

Dennis Joachimsthaler dennis at efjot.de
Tue Aug 2 03:21:31 PDT 2011


I think this needs a better thread title... Feel free to change it.


I've been having this idea. Usually when you insert an <iframe>, for  
example
you can easily manipulate it's DOM structure.

There is no way to prevent this, or? The top document can even just sandbox
the iframe and allow scripts, but not allow top navigation. In this case
the sandboxed iframe is stuck. The top can do whatever it wants with it,  
unless
the sandbox does some weird combination of javascript that might save it  
from
manipulation. Many sites do this, but some do not!

I propose a <head> or <html> attribute or tag which puts the document into  
a
"protected" mode, thus preventing it from being put into an iframe and/or  
manipulated.

The dangers of this situation could be as follows:

Somebody puts <insert social network here> into an iframe, making you log  
in
automatically. He has now access to your data. Instantly. When you access  
any site.

Proposing a very easy to implement protection from iframe manipulation is  
something
that would be very helpful for webmasters.

A few ideas of implementation:

<html topmanipulation="protected">
<html protected>
<html topprotected>
<html contentprotected>
<body contentprotected>

<body contentprotected="all"> could protect it from all script access.  
This could be
sent for webserver responses that MUST NOT be caught by anything (user  
scripts?).

Also being able to apply this to any container tag, if someone wants to  
fine-grain
the security.


More information about the whatwg mailing list