<div class="gmail_quote">On Fri, Apr 3, 2009 at 10:46 PM, Cameron McCormack <span dir="ltr"><<a href="mailto:cam@mcc.id.au">cam@mcc.id.au</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Ojan Vafai:<br>
<div class="im">> 2) Add a css or xpath expression to fragment identifiers. Tthe iframe<br>
> src can be set to <a href="http://foo.com#css(.foo" target="_blank">http://foo.com#css(.foo</a> #bar). Same as above<br>
> applies. If there's no match, it's a noop. If there is a match, it<br>
> scrolls the first one into view.<br>
<br>
</div>Sounds like XPointer:<br>
<br>
<a href="http://www.w3.org/TR/xptr-framework/" target="_blank">http://www.w3.org/TR/xptr-framework/</a><br>
<font color="#888888"></font></blockquote><div><br></div><div>Yes, it's a similar idea. XPointer seems focused on XML/XHTML, I'm not sure what it would take to extend the spec to include HTML. In addition, I don't really see the point of adding yet another element addressing scheme to the web. XPath and CSS selectors are already there and familiar to developers.</div>
<div><br></div><div>On Sun, Apr 5, 2009 at 10:32 PM, Adam Barth <span dir="ltr"><<a href="mailto:whatwg@adambarth.com">whatwg@adambarth.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
<div class="im">On Sun, Apr 5, 2009 at 1:09 AM, Giorgio Maone <<a href="mailto:g.maone@informaction.com">g.maone@informaction.com</a>> wrote:<br></div><div class="im">> It would make clickjacking attacks more precise, by exactly positioning the<br>
> frame content where the attacker wants it to be.<br>> Not that you cannot already be pixel-precise by using absolute positioning<br>> inside an overflow: hidden div...<br>> Let's say it would make them even more script-kiddies friendly.<br>
<br></div>Hum... That doesn't sound that bad. If you're relying on the<br>obscurity of pixel offsets for a clickjacking defense, then you've got<br>bigger problems than scrollIntoView.</blockquote><div><br>
</div>
<div>I agree with Adam here. I don't see that this opens any significant attack vector. That said, if someone can think of a serious security concern, I'm all ears.</div></div><div><br></div><div>Ojan</div></div>