Re: Defining secure-enough origins. from Mike West on 2014-08-22 (public-webappsec@w3.org from August 2014)

From: Mike West <mkwst@google.com>
Date: Fri, 22 Aug 2014 15:58:57 +0200
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Chris Palmer <palmer@google.com>, Ryan Sleevi <sleevi@google.com>, Anne van Kesteren <annevk@annevk.nl>
Message-ID: <CAKXHy=dsU3S_=Q5VbucvPJKoQFj5YUO0RF_UznC80=gweOxeeg@mail.gmail.com>

On Fri, Aug 22, 2014 at 3:57 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:

> On 8/22/14, 9:55 AM, Mike West wrote:
>
>> I'm less convinced that breaking 'about:blank' is a bug, though I'm sure
>> it's widely used. Would it be that bad to force about:blank frames to
>> ask for data from their parent via postMessage?
>>
>
> How is the about:blank case fundamentally different from the srcdoc case?

Frames can be navigated to 'about:blank' across origins (via window.opener,
for instance). Frames can't be navigated to an effective 'about:srcdoc' (I
think).

-mike

Received on Friday, 22 August 2014 13:59:44 UTC