W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Sandboxed iframes (was Re: Seamless iframes + CSS3 selectors = bad idea)

From: Maciej Stachowiak <mjs@apple.com>
Date: Sun, 06 Dec 2009 02:03:59 -0800
Cc: "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
Message-id: <7C7CFD51-AF5D-40A5-A40F-208FD25503BA@apple.com>
To: Ian Hickson <ian@hixie.ch>

On Dec 6, 2009, at 1:38 AM, Ian Hickson wrote:

> On Sun, 6 Dec 2009, sird@rckc.at wrote:
>>
>> ian, isnt allow-same-origin confusing? since if its same origin what
>> stops you from linking it and bypassing those protections.
>
> allow-same-origin is only really intended to be used with the
> aforementioned doc="" attribute idea (eventually) and data: URIs (in  
> the
> meantime). The example you mention is indeed misleading.

It seems like a data: URI would not do the trick, since it already has  
a unique origin, so allow-same-origin would not do what it is intended  
to. I believe you would have to document.write() into the iframe's  
content document (after loading about:blank), or load it with a  
javascript: URI containing a constant string.

Regards,
Maciej
Received on Sunday, 6 December 2009 10:04:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT