W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Sandboxed iframes (was Re: Seamless iframes + CSS3 selectors = bad idea)

From: <sird@rckc.at>
Date: Sun, 6 Dec 2009 17:30:05 +0800
Message-ID: <8ba534860912060130v3817f685jcaa5662077d2a702@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: Adam Barth <w3c@adambarth.com>, "sird@rckc.at" <sird@rckc.at>, Maciej Stachowiak <mjs@apple.com>, public-web-security@w3.org
ian, isnt allow-same-origin confusing? since if its same origin what stops
you from linking it and bypassing those protections.

greetz!

On Dec 6, 2009 5:25 PM, "Ian Hickson" <ian@hixie.ch> wrote:

On Sun, 6 Dec 2009, sird@rckc.at wrote: > > yeah, that's exactly what I was
talking about: > http:/...
<iframe sandbox src=""> is intended primarily for cross-origin embedding,
not same-origin. For same-origin, we'll probably add <iframe sandbox
doc="">, with inline source.

> And if developers start using the example that is given in the spec, >
then a lot of people (de...
I'll add some text mentioning this case.

--
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Sunday, 6 December 2009 09:30:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT