[webappsec] UISecurity input protection: same origin or same document? from Brad Hill on 2013-10-31 (public-webappsec@w3.org from October 2013)

From: Brad Hill <hillbrad@gmail.com>
Date: Thu, 31 Oct 2013 10:25:55 -0700
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAEeYn8j_dVp2f30rHzZeNOt-+VTdsG=yLxFGHi93Em2AvKnN=Q@mail.gmail.com>

The current input protection heuristic says that repaint events or
obstructions caused by a different document trigger a violation.

As it is likely that user agents may composite together rendering of nested
iframes from the same origin, are there any objections to weakening the
heuristic from being same-document to merely same-origin, to avoid another
implementation barrier here?

-Brad

Received on Thursday, 31 October 2013 17:26:23 UTC