W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > January 2011

[Bug 11720] At the moment, chrome and opera thinks that iframe with source equal to data url has *not* the same origin as parent window's document. I think that this behavior is much more useful, because it can be used as a simpliest way of sandboxing of content.

From: <bugzilla@jessica.w3.org>
Date: Mon, 10 Jan 2011 17:18:06 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1PcLNe-000178-P3@jessica.w3.org>

--- Comment #1 from Fedor Indutny <fedor@indutny.com> 2011-01-10 17:18:06 UTC ---
Created attachment 940
  --> http://www.w3.org/Bugs/Public/attachment.cgi?id=940
Testcase for browsers

As you can see - chrome and opera has no access to document cookies and
window.parent, while firefox has.

I think that in this case chrome and firefox are right, b/c protocol differs
and there no hostname for data-urls.

As I'd said this can be used for content-sandboxing and JSONP-sandboxing (in a
couple with window.postMessage() API )

Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Monday, 10 January 2011 17:18:08 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 16:31:03 UTC