On Monday, 12 August 2013 11:27:59 UTC+3, ianG wrote: > The only 'solution' is really to put everything into the secure side.
Unfortunately, I cannot control everything. I'm authoring a kind of CMS system for educational use and I need to support user authored content. The whole system uses only HTTPS connections for everything and the only thing that I need is ability to say <iframe isolation="sandbox" src="url-encoded-user-input"> where the "isolation" says that I want to keep this stuff in a sandbox and, yes, I truly want to embed untrusted content in this box but I never want it to interact with the main document in the any way. (Imagine a iframe pointing to youtube.com where youtube.com would not support HTTPS connections...) As far as I can tell, there's no way to escape that iframe even without the missing "isolation" parameter as long as the sandboxed content comes from different domain. As a result, that 3rd party HTTP content cannot mess with the secure site. Unfortunately, that does not fit the "Passive Mixed Content" description of Firefox. I understand being cautious with <script src="http://...";> but iframes are totally different, unless I've misunderstood something seriously incorrectly. Note that the problem is that the content to be embedded within an iframe is hosted by 3rd party that is not ready to jump to using HTTPS. Because of this, my service would need to reduce the security to allow everything to work! And this is supposed to improve end user security how? Perhaps we need support for <iframe trustmeiknowwhatido=1 src="http://...";> when using HTTPS connections? -- Mikko _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
