W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2014

Re: Defining secure-enough origins.

From: Boris Zbarsky <bzbarsky@mit.edu>
Date: Fri, 22 Aug 2014 10:03:12 -0400
Message-ID: <53F74DA0.708@mit.edu>
To: Mike West <mkwst@google.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>, Chris Palmer <palmer@google.com>, Ryan Sleevi <sleevi@google.com>, Anne van Kesteren <annevk@annevk.nl>
On 8/22/14, 9:58 AM, Mike West wrote:
> Frames can be navigated to 'about:blank' across origins (via
> window.opener, for instance).

Sure.  So for about:blank the origin is what matters.  And for sandboxed 
about:blank you're really not quite sure where it came from, is that the 

> Frames can't be navigated to an effective
> 'about:srcdoc' (I think).

Well, by setting the srcdoc attribute on the iframe, right?  Is the 
claim that this is ok because only code that's same-origin with the 
iframe element can do that?  But I thought we were talking about 
transports, not origins...

Received on Friday, 22 August 2014 14:03:42 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC