[webkit-dev] IFRAME content displaying outside boundaries when transition applied (also CVE-2010-1757)

Rob Barreca rob at sproutinc.com
Tue Sep 7 17:14:42 PDT 2010

If you load http://farm.rob.sproutinc.com/webkit.problem.iframe.html in iOS
3.1.3 and earlier and click on the gray <div>, the content will jump outside
of the IFRAME's bounds right when the WebKit Transition is applied. I
searched high and low and found CVE-2010-1757 which fixed a security bug
that now prevents this in 3.2+. But, the problem is that we are not
intentionally trying to show content outside the IFRAME, we want the content
to stay inside the IFRAME; we are only triggering a fade out transition.
Does anyone know of a workaround that we can apply on the HTML-side to
prevent this prison break from happening in 3.1.3 and earlier?

(Sorry if this isn't an appropriate place to ask this question.)

> From http://support.apple.com/kb/HT4225


CVE-ID: CVE-2010-1757

Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1
> through 3.1.3 for iPod touch (2nd generation) and later

Impact: Websites with embedded iframe elements may be vulnerable to user
> interface spoofing

Description: Safari allows an iframe element to display content outside its
> boundaries, which may lead to user interface spoofing. This issue is
> addressed by not allowing iframe elements to display content outside their
> boundaries. Credit to Wayne Pan of AdMob, Inc. for reporting this issue.


Rob Barreca
Director of Development
Sprout, Inc.
Mobile: 808.224.1905

Confidential and Proprietary Property of Sprout; Do not distribute.  The
information contained in this email is confidential.  This information is
intended for use only by the individual to whom it is addressed. If you are
not the intended recipient, you are hereby notified that any use,
dissemination, distribution or copying of this communication and its
contents is strictly prohibited. If you have received this email in error,
please immediately notify the sender by return email and delete this email
and attachments, and destroy all copies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20100907/7385b541/attachment.html>

More information about the webkit-dev mailing list