W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Sandboxed iframes (was Re: Seamless iframes + CSS3 selectors = bad idea)

From: Ian Hickson <ian@hixie.ch>
Date: Sun, 6 Dec 2009 10:30:50 +0000 (UTC)
To: Maciej Stachowiak <mjs@apple.com>
Cc: "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
Message-ID: <Pine.LNX.4.62.0912061030100.5629@hixie.dreamhostps.com>
On Sun, 6 Dec 2009, Maciej Stachowiak wrote:
> On Dec 6, 2009, at 1:38 AM, Ian Hickson wrote:
> > On Sun, 6 Dec 2009, sird@rckc.at wrote:
> > > 
> > > ian, isnt allow-same-origin confusing? since if its same origin what 
> > > stops you from linking it and bypassing those protections.
> > 
> > allow-same-origin is only really intended to be used with the 
> > aforementioned doc="" attribute idea (eventually) and data: URIs (in 
> > the meantime). The example you mention is indeed misleading.
> 
> It seems like a data: URI would not do the trick, since it already has a 
> unique origin, so allow-same-origin would not do what it is intended to. 
> I believe you would have to document.write() into the iframe's content 
> document (after loading about:blank), or load it with a javascript: URI 
> containing a constant string.

The origin of a data: Document is the same as its parent browsing 
context's Document's origin.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Sunday, 6 December 2009 10:31:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT