[webkit-dev] IFRAME content displaying outside boundaries when transition applied (also CVE-2010-1757)
Rob Barreca
rob at sproutinc.com
Thu Sep 9 17:37:00 PDT 2010
It seems adding -webkit-transform: translateZ(0px); to the <body>'s style
attribute of the iframed content in order to enable hardware
acceleration works around this bug in 3.1.3 and earlier.
-R
On Tue, Sep 7, 2010 at 2:14 PM, Rob Barreca <rob at sproutinc.com> wrote:
> If you load http://farm.rob.sproutinc.com/webkit.problem.iframe.html in
> iOS 3.1.3 and earlier and click on the gray <div>, the content will jump
> outside of the IFRAME's bounds right when the WebKit Transition is applied.
> I searched high and low and found CVE-2010-1757 which fixed a security bug
> that now prevents this in 3.2+. But, the problem is that we are not
> intentionally trying to show content outside the IFRAME, we want the content
> to stay inside the IFRAME; we are only triggering a fade out transition.
> Does anyone know of a workaround that we can apply on the HTML-side to
> prevent this prison break from happening in 3.1.3 and earlier?
>
> (Sorry if this isn't an appropriate place to ask this question.)
>
>
>> From http://support.apple.com/kb/HT4225
>
> WebKit
>
> CVE-ID: CVE-2010-1757
>
> Available for: iOS 2.0 through 3.1.3 for iPhone 3G and later, iOS 2.1
>> through 3.1.3 for iPod touch (2nd generation) and later
>
> Impact: Websites with embedded iframe elements may be vulnerable to user
>> interface spoofing
>
> Description: Safari allows an iframe element to display content outside its
>> boundaries, which may lead to user interface spoofing. This issue is
>> addressed by not allowing iframe elements to display content outside their
>> boundaries. Credit to Wayne Pan of AdMob, Inc. for reporting this issue.
>
>
> Thanks,
>
> --
> Rob Barreca
> Director of Development
> Sprout, Inc.
> Mobile: 808.224.1905
>
> Confidential and Proprietary Property of Sprout; Do not distribute. The
> information contained in this email is confidential. This information is
> intended for use only by the individual to whom it is addressed. If you are
> not the intended recipient, you are hereby notified that any use,
> dissemination, distribution or copying of this communication and its
> contents is strictly prohibited. If you have received this email in error,
> please immediately notify the sender by return email and delete this email
> and attachments, and destroy all copies.
>
--
Rob Barreca
Director of Development
Sprout, Inc.
Mobile: 808.224.1905
Confidential and Proprietary Property of Sprout; Do not distribute. The
information contained in this email is confidential. This information is
intended for use only by the individual to whom it is addressed. If you are
not the intended recipient, you are hereby notified that any use,
dissemination, distribution or copying of this communication and its
contents is strictly prohibited. If you have received this email in error,
please immediately notify the sender by return email and delete this email
and attachments, and destroy all copies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20100909/610950bd/attachment.html>
More information about the webkit-dev
mailing list