On Tue, Mar 15, 2022 at 9:11 AM Camille Lamy <[email protected]> wrote: > We looked at this as part of the Security & privacy review process for Web > Platform intents, and we were wondering about the feature behavior with > regards to iframes. Specifically, we were concerned about the potential for a > child frame to draw custom content over its parent using this feature. Is > something like this possible as part of the overflow mechanism? If so, we > were concerned about the potential for spoofing.
Excellent question; the object-* properties were designed with images in mind rather than iframes. That would indeed be possible with the spec as currently written; however, it can only be done with the outer page's blessing - the property needs to be set on the <iframe> element itself, and can't be adjusted by the embedded page. I suspect that this is still too dangerous of an ability to expose, and the right answer is to force iframes to be `object-overflow: clip` at all times; possibly we should force *all* of the object-* properties to their initial values for iframes. I've raised this in the CSSWG <https://github.com/w3c/csswg-drafts/issues/7143>, and will adjust the spec after the WG discusses this. Thanks so much for the review! ~TJ -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACwK9gdyefJW294huWaspAdv2XAzMj5Zbh7LbeK6EJt4vhH4HQ%40mail.gmail.com.
