ISSUE-55: How to handle seamless flag for input-protection policies?

input-protection and seamless iframes

How to handle seamless flag for input-protection policies?

UI Security
Raised by:
Brad Hill
Opened on:
Should we prohibit displaying content with an input-protection policy in a seamless iframe? Because CSS gets cascaded into such a frame, it arguably already has no UI integrity from it's parent - but seamless also already requires that the parent be same-origin.

Should an input-protection policy be treated as "frame-options 'deny'" when a resource is embedded with the seamless flag?

Or should we allow it, because the embedder must be same-origin? If yes, should we cascade input-protection from the embedding parent (including selectors) or attempt to continue to enforce it as-specified?
Related Actions Items:
No related actions
Related emails:
No related emails

Related notes:

After discussion on list, no special treatment required. Spec already allows same-origin content to interfere with protected regions.

Brad Hill, 25 Nov 2013, 22:34:51

Display change log ATOM feed

Daniel Veditz <>, Mike West <>, Chairs, Wendy Seltzer <>, Samuel Weiler <>, Staff Contacts
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <>.
$Id: 55.html,v 1.1 2020/01/17 08:52:37 carcone Exp $