7121 – Determine if there are security issues around outer documents overriding behavior inside frames

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 7121 - Determine if there are security issues around outer documents overriding behavior inside frames

Summary: Determine if there are security issues around outer documents overriding beha...

Status:	RESOLVED FIXED

Alias:	None

Product:	ARIA
Classification:	Unclassified
Component:	Core AAM (show other bugs)
Version:	1.0
Hardware:	PC Windows XP

Importance:	P1 normal
Target Milestone:	---
Assignee:	Andi Snow-Weaver
QA Contact:	ARIA UA Implementors

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2009-07-17 12:25 UTC by Andi Snow-Weaver
Modified:	2010-07-01 19:34 UTC (History)
CC List:	0 users

See Also:

Attachments

Description Andi Snow-Weaver 2009-07-17 12:25:49 UTC

Comment 1 Andi Snow-Weaver 2009-07-17 12:27:30 UTC

5.1: numbered bullets after "computing other properties for an inner document"

#1 - another case that seems a little odd - outer document controlling behavior of inner document

Comment 2 Andi Snow-Weaver 2009-08-05 18:31:53 UTC

Note that section 5.1, bullet #1 referred to in the previous comment is this one:

# For user-controlled properties (aria-selected, aria-valuenow, aria-valuetext, aria-activedescendant), use the WAI-ARIA markup on the root WAI-ARIA node only

Comment 3 Cynthia Shelly 2010-04-20 20:23:20 UTC

Security issues would only come in if javascript from the parent had access to the accname that was built from the <title> of the child.  It doesn't.  We should probably add a note to this section along the lines of:

NOTE:  If the child frame is in a different domain than the parent, do not expose the name to javascript in the parent.