Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not use allow="screen-wake-lock" for iframes #277

Closed
jumde opened this issue Aug 18, 2020 · 2 comments
Closed

Do not use allow="screen-wake-lock" for iframes #277

jumde opened this issue Aug 18, 2020 · 2 comments
Labels
security-needs-resolution Issue the security Group has raised and looks for a response on.

Comments

@jumde
Copy link

jumde commented Aug 18, 2020

It would be better to use only Feature Policy to determine which third parties have access to screen-wake-lock

{"screen-wake-lock": []}

Attributes of iframes can be easily modified by javascript. So a simple XSS can enable screen-wake-lock for all third-party iframes on a site.
@samuelweiler samuelweiler added the security-needs-resolution Issue the security Group has raised and looks for a response on. label Aug 20, 2020
@xfq xfq mentioned this issue Aug 20, 2020
Open
15 tasks
@w3cbot w3cbot mentioned this issue Aug 21, 2020
Open
@reillyeon
Copy link
Member

The "allow" attribute is defined by Permissions Policy (formerly known as Feature Policy). This XSS concern should be raised against that specification instead.

@rakuco
Copy link
Member

rakuco commented Sep 22, 2020

Is there anything we need to act upon here given Reilly's comment?

@jumde jumde closed this as completed Sep 22, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security-needs-resolution Issue the security Group has raised and looks for a response on.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rakuco @reillyeon @jumde @samuelweiler