[whatwg] Communicating between different-origin frames

On Wed, 14 Jul 2010, James Graham wrote:
>
> Following some discussion of [1], it was pointed out to me that it is 
> possible to make two pages on separate subdomains communicate without 
> either setting their document.domain by proxing the communication 
> through pages that have set their document.domain. There is a demo of 
> this at [2].
> 
> I'm not sure if this is already well-known nor whether it is harmless or 
> not.
> 
> [1] http://my.opera.com/hallvors/blog/2010/07/13/ebay-versus-security-policy-consistency
> [2] http://sloth.whyi.org/~jl/cross-domain.html

On Wed, 14 Jul 2010, Adam Barth wrote:
>
> This is well-known
> 
> http://www.collinjackson.com/research/papers/fp801-jackson.pdf
> 
> but not a good idea (see Section 4.4):
> 
> http://www.adambarth.com/papers/2009/barth-weinberger-song.pdf

I haven't changed the spec regarding this, since it's not clear what a 
better solution would be. If anyone has a concrete proposal for what we 
should require, please let me know.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Tuesday, 10 August 2010 16:55:37 UTC