Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Example 12 (security/privacy) seems unneeded #180

Closed
annevk opened this issue Nov 30, 2021 · 2 comments · Fixed by #241
Closed

Example 12 (security/privacy) seems unneeded #180

annevk opened this issue Nov 30, 2021 · 2 comments · Fixed by #241
Labels
spec issue

Comments

@annevk
Copy link
Collaborator

annevk commented Nov 30, 2021

A malicious page embeds a cross-origin victim in an iframe. The victim page contains information sensitive to the user. The malicious page navigates the victim to a text fragment. Since a successful fragment match will cause focus, the malicious page can determine if the text appears in the victim by listening for a blur event in its own document.

This attack is ruled out by the processing model. If we wanted to include examples that are already ruled out, we'd have to include many more. (But also, we'd have to update the surrounding text which assumes they are not ruled out.)
@bokand
Copy link
Collaborator

bokand commented Dec 29, 2021

I wanted to include this case, even though it's precluded by our processing model, to give readers some idea of the kinds of cases we need to be worried about. But you're right that it doesn't fit with the other examples or surrounding prose.

I'll see if I can rework this section to make this clearer.

@ghost ghost mentioned this issue Jun 18, 2022
Closed
@bokand
Copy link
Collaborator

bokand commented Dec 21, 2022
edited
Loading

Actually, re-reading this, text fragments in an iframe aren't strictly precluded by the processing model (this changed but not since this was filed) since we only perform the top-level browsing context check for cross-origin initiators. This enables e.g. an iframe'd document navigating itself to a text fragment. Edit: I think this was wrong, cross-origin is checked after text directive user activation (which is where the top-level check was confusingly included, #239 makes this clearer)

That said, it's done via sec-fetch-site which is wrong per #179 so I'll need to address it there.

bokand added a commit to bokand/ScrollToTextFragment that referenced this issue Nov 22, 2023
@bokand
[Spec] Remove unneeded example in security section
076e485 
This example describes a situation that's already prohibited by the processing
model. All the surrounding examples are of cases that aren't prohibited but
implementors should be aware of.

Remove the example and cleanup the non-normative description of this section.

Fixes WICG#180
@bokand bokand mentioned this issue Nov 22, 2023
Merged
bokand added a commit that referenced this issue Nov 22, 2023
@bokand
[Spec] Remove unneeded example in security section (#241)
e55c560 
This example describes a situation that's already prohibited by the processing
model. All the surrounding examples are of cases that aren't prohibited but
implementors should be aware of.

Remove the example and cleanup the non-normative description of this section.

Fixes #180
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
spec issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Spec] Remove unneeded example in security section bokand/ScrollToTextFragment
2 participants
@annevk @bokand