From 6ac1e58d2578dad23e1697b36f9bcfc2ac4776b5 Mon Sep 17 00:00:00 2001 From: Simon Pieters Date: Tue, 4 Nov 2025 12:54:55 +0100 Subject: [PATCH 1/2] Make topmargin and leftmargin attributes apply to both sides Fixes #11879. --- source | 20 ++------------------ 1 file changed, 2 insertions(+), 18 deletions(-) diff --git a/source b/source index 2f92781ba5c..6fc4b1d823e 100644 --- a/source +++ b/source @@ -145101,7 +145101,7 @@ html, body { display: block; } Source - 'margin-top' + 'margin-top', 'margin-bottom' The body element's marginheight attribute The body element's topmargin attribute @@ -145109,23 +145109,7 @@ html, body { display: block; } The body element's container frame element's marginheight attribute - 'margin-right' - The body element's marginwidth attribute - - The body element's rightmargin attribute - - The body element's container frame element's marginwidth attribute - - - 'margin-bottom' - The body element's marginheight attribute - - The body element's bottommargin attribute - - The body element's container frame element's marginheight attribute - - - 'margin-left' + 'margin-left', 'margin-right' The body element's marginwidth attribute The body element's leftmargin attribute From 6461e0d88226cd1c88cdad39b9a7ae32e28794a9 Mon Sep 17 00:00:00 2001 From: Simon Pieters Date: Wed, 5 Nov 2025 10:12:26 +0100 Subject: [PATCH 2/2] Snapshot the margin* attributes on frame/iframe at document creation This effectively removes a cross-origin communication channel. Fixes #2486. --- source | 76 +++++++++++++++++++++++++++++++++++++++------------------- 1 file changed, 51 insertions(+), 25 deletions(-) diff --git a/source b/source index 6fc4b1d823e..228809451e6 100644 --- a/source +++ b/source @@ -11470,6 +11470,14 @@ partial interface Document {

Each Document has an open dialogs list, which is a list of dialog elements, initially empty.

+

Each Document has a boolean embedder has margin attributes, initially + false.

+ +

This is set to true when the container is a frame element or an + iframe element with a marginwidth or a marginheight attribute specified. This is used + in the Rendering section.

+

The DocumentOrShadowRoot interface

DOM defines the cross-origin isolated capability.

+

  • Let embedderHasMarginAttributes be true if embedder is a + frame element or an iframe element that has a marginwidth or a marginheight attribute specified, and false + otherwise.

    • +

  • Let document be a new Document, with:

    @@ -104489,6 +104503,9 @@ interface NotRestoredReasons {
    custom element registry
    a new CustomElementRegistry object
    + +
    embedder has margin attributes
    +
    embedderHasMarginAttributes
    • @@ -111257,6 +111274,16 @@ location.href = '#foo';     data-x="concept-response-timing-info">timing info's start time.

    +

  • Let embedder be navigationParams's navigable's container.

    • + +

  • Let embedderHasMarginAttributes be true if embedder is a + frame element or an iframe element that has a marginwidth or a marginheight attribute specified, and false + otherwise.

    • +

  • Let document be a new Document, with

    @@ -111314,6 +111341,9 @@ location.href = '#foo';
    custom element registry
    a new CustomElementRegistry object
    + +
    embedder has margin attributes
    +
    embedderHasMarginAttributes
    • @@ -145088,11 +145118,12 @@ html, body { display: block; }
    -

    For each property in the table below, given a body element, the first attribute - that exists maps to the pixel length property on the body element. If - none of the attributes for a property are found, or if the value of the attribute that was found - cannot be parsed successfully, then a default value of 8px is expected to be used - for that property instead.

    +

    For each property in the table below, given a body + element body, the first attribute that exists maps to the pixel length + property on body. If none of the attributes for a property are found, or if the + value of the attribute that was found cannot be parsed successfully, then the default body + margin given body is expected to be used for that property + instead.

    @@ -145101,36 +145132,31 @@ html, body { display: block; } - - - - - -
    Source
    'margin-top', 'margin-bottom' - The body element's marginheight attribute -
    The body element's topmargin attribute + 'margin-top', 'margin-bottom' + body's marginheight attribute
    The body element's container frame element's marginheight attribute + body's topmargin attribute
    'margin-left', 'margin-right' - The body element's marginwidth attribute -
    The body element's leftmargin attribute + 'margin-left', 'margin-right' + body's marginwidth attribute
    The body element's container frame element's marginwidth attribute + body's leftmargin attribute
    -

    If the body element's node document's node navigable is - a child navigable, and the container of that - navigable is a frame or iframe element, then the - container frame element of the body element is that frame or - iframe element. Otherwise, there is no container frame element.

    +

    The default body margin given a body element body is 0px + if body's node document's embedder has margin attributes is true, + and 8px otherwise.

    -

    The above requirements imply that a page can change the margins of another page - (including one from another origin) using, for example, an iframe. This - is potentially a security risk, as it might in some cases allow an attack to contrive a situation - in which a page is rendered not as the author intended, possibly for the purposes of phishing or - otherwise misleading the user.

    +

    The above requirements imply that a page can change the margins of another + page to 0px (including one from another origin) using, for example, an + iframe. This is potentially a security risk, as it might in some cases allow an + attack to contrive a situation in which a page is rendered not as the author intended, possibly + for the purposes of phishing or otherwise misleading the user.