InformAction Forums

Currently (1.9.9.90), an iframe from an untrusted domain is not blocked if it has the same 2nd level domain as the parent and forbidIFramesContext is 3.

forbidIFramesContext grants implicit trust but untrusted denies trust explicitly, explicit should override implicit

al_9x wrote:Currently (1.9.9.90), an iframe from an untrusted domain is not blocked if it has the same 2nd level domain as the parent and forbidIFramesContext is 3.

"should" is debatable. Could you explain exactly how this is a security weakness?

forbidIFramesContext grants implicit trust but untrusted denies trust explicitly, explicit should override implicit, so that's the general principle. Specifically this would allow you to block content from a subdomain on otherwise trusted site.

another way to put it, is that specific should override general.

example: if you are able to grant/deny trust to hierarchical resources, the more specific denial should and generally does override the the more general grant. If you have a write permission on a folder but a denial on a sub-folder, sub-folder denial wins.

forbidIFramesContext=3 grants (iframe) trust on a more general *.a.b level but untrusted denies on a more specific *.c.a.b

Another way to put it is that forbidIFrameContext helps to define when an IFrame needs to be considered an "object embedding", i.e. extraneous and potentially dangerous content, and when it should be regarded as an integral part of the page, rather than granting or revoking any additional trust.

Specifically this would allow you to block content from a subdomain on otherwise trusted site.

I find this a more compelling and pragmatic argument, so I'm gonna consider a change.

Please check latest development build

Giorgio Maone wrote:Please check latest development build

works, thanks