- From: Rich Tibbett <rich.tibbett@gmail.com>
- Date: Wed, 13 Jan 2016 19:23:42 +0100
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: WebAppSec WG <public-webappsec@w3.org>
On Wed, Jan 13, 2016 at 6:29 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Wed, Jan 13, 2016 at 6:23 PM, Rich Tibbett <rich.tibbett@gmail.com> wrote: >> On Wed, Jan 13, 2016 at 6:09 PM, Anne van Kesteren <annevk@annevk.nl> wrote: >>> On Wed, Jan 13, 2016 at 5:59 PM, Rich Tibbett <rich.tibbett@gmail.com> >>> wrote: >>>> Alternatively, could an HTTPS iframe be suitably >>>> sandboxed from its non-secure parent(s) so it can continue to gain >>>> access to >>>> powerful APIs? >>> >>> No postMessage()? What did you have in mind? >> >> Why could browsers not ship a properly secure sandbox and why should that >> not be proposed in this group / mailing list? > > Hence my questions, what does a suitably/properly secure sandbox mean? Strawman time...but it means an iframe that could essentially be considered orphaned and detached from its parent. Having an orphaned iframe that is, effectively, treated as its own top-level document and should prevent communication loopholes or any shared state between itself and a 'detached' parent. > > >> So impossible then unless the whole web adopts HTTPS before this ships? > > If the whole web is to embed you, I suppose. That's not much of a choice at all really: http://www.adtile.me/motion-ads.
Received on Wednesday, 13 January 2016 18:24:33 UTC