W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Sandboxed iframes (was Re: Seamless iframes + CSS3 selectors = bad idea)

From: Adam Barth <w3c@adambarth.com>
Date: Sun, 6 Dec 2009 08:34:46 -0800
Message-ID: <7789133a0912060834w10822a69ke8e2ffd6544eac1f@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
On Sun, Dec 6, 2009 at 1:38 AM, Ian Hickson <ian@hixie.ch> wrote:
> On Sun, 6 Dec 2009, sird@rckc.at wrote:
>> ian, isnt allow-same-origin confusing? since if its same origin what
>> stops you from linking it and bypassing those protections.
>
> allow-same-origin is only really intended to be used with the
> aforementioned doc="" attribute idea (eventually) and data: URIs (in the
> meantime). The example you mention is indeed misleading.

Plenty of people will screw this up, but I'm not sure how best to help
them.  One mitigating factor is that developers know that old browsers
don't support @sandbox.  I'm not sure what happens when that's no
longer the case (but thankfully (!), old browsers will with us for a
long time).

Adam
Received on Sunday, 6 December 2009 16:35:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT