[css-nav-1] Review the security model of how we interact with iframes

[frivoal]

---

Migrated from WICG/spatial-navigation#28
Originally created by @frivoal on Fri, 16 Feb 2018 07:07:50 GMT

---

I am not a security person. Is the way spatnav and its various Events and APIs work with iframes sane? In particular, https://wicg.github.io/spatial-navigation/#spatial-navigation-steps should be reviewed.

[frivoal]

---

Migrated from WICG/spatial-navigation#28 (comment)
Originally created by @frivoal on Wed, 25 Jul 2018 15:23:08 GMT

---

In 7.2, step 8.else.2.else means that the search for focusable or scrollable elements up the tree will cross iframe boundaries. However, the details of it mean that events don't leak information about the content of the iframe, since starting point, event target and container are retargetted against the iframe element itself, and no longer carry information about the elements inside the iframe's document.

This means that there isn't really any information leak. Regardless of which element in the iframe was focused (or if none was focused), you'll get the same event.

The only case of information leakage I think is when the author would usewindow.navigate, while the focus is in an iframe, if they don't get an event at all it means that either there was something scrollable of focusable within the iframe, as the only case where you get an event is when the search didn't find anything at all goes up the tree.

This is so limited information that I don't think it introduces real security problems, but it is as far as I can tell information that you could not get otherwise.

[frivoal]

---

Migrated from WICG/spatial-navigation#28 (comment)
Originally created by @frivoal on Thu, 31 May 2018 07:45:01 GMT

---

See also WICG/spatial-navigation#58

[frivoal]

---

Migrated from WICG/spatial-navigation#28 (comment)
Originally created by @cynthia on Thu, 31 May 2018 16:11:36 GMT

---

This looks relevant. w3c/webappsec-permissions-policy#171