[tahoe-lafs-trac-stream] [tahoe-lafs] #1797: WUI: view content in an HTML5 sandboxed iframe
tahoe-lafs
trac at tahoe-lafs.org
Mon Apr 15 11:04:57 UTC 2013
#1797: WUI: view content in an HTML5 sandboxed iframe
-------------------------+-------------------------------------------------
Reporter: | Owner:
davidsarah | Status: new
Type: defect | Milestone: soon
Priority: major | Version: 1.9.2
Component: code- | Keywords: wui security usability javascript
frontend-web | sandbox same-origin
Resolution: |
Launchpad Bug: |
-------------------------+-------------------------------------------------
Comment (by freddyb):
Currently, it's very hard (and according to
https://bugzilla.mozilla.org/show_bug.cgi?id=859454#c11 nearly impossible)
to restrict a document to its frame and allowing scripts at the same time
with iframe sandbox.
Once scripting is allowed, the document may use certain hacks to break out
of the sandbox by unframing itself, thus being rendered in a shared origin
(again).
Did you look at the paper "Privilege Separation in HTML5
Applications"(usenix security 2012)? Worth a read in this context:
https://www.usenix.org/conference/usenixsecurity12/privilege-separation-
html5-applications
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1797#comment:5>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list