Tab Atkins
unread,Mar 15, 2022, 4:43:25 PM3/15/22Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Sign in to report message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Camille Lamy, blink-dev, Khushal Sagar, Vladimir Levin, taba...@chromium.org
On Tue, Mar 15, 2022 at 9:11 AM Camille Lamy <
cl...@chromium.org> wrote:
> We looked at this as part of the Security & privacy review process for Web Platform intents, and we were wondering about the feature behavior with regards to iframes. Specifically, we were concerned about the potential for a child frame to draw custom content over its parent using this feature. Is something like this possible as part of the overflow mechanism? If so, we were concerned about the potential for spoofing.
Excellent question; the object-* properties were designed with images
in mind rather than iframes. That would indeed be possible with the
spec as currently written; however, it can only be done with the outer
page's blessing - the property needs to be set on the <iframe> element
itself, and can't be adjusted by the embedded page.
I suspect that this is still too dangerous of an ability to expose,
and the right answer is to force iframes to be `object-overflow: clip`
at all times; possibly we should force *all* of the object-*
properties to their initial values for iframes. I've raised this in
the CSSWG <
https://github.com/w3c/csswg-drafts/issues/7143>, and will
adjust the spec after the WG discusses this. Thanks so much for the
review!
~TJ