W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2012

[whatwg] Proposal: location.parentOrigin

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Wed, 4 Apr 2012 22:25:11 -0700
Message-ID: <CALx_OUCco-kp2DSFr_MekPCTV+cMR6Jop9cT-cXGuGm6gyaS2Q@mail.gmail.com>
In fact, in the vein of opt-in disclosure perhaps something like
discloselocation={none|origin|full} would be more convenient - in
which case, you get something like
window.parentLocations[n].{origin|href|hash|...}

I constantly fear that origin scoping for security mechanisms is too
coarse-grained in many use cases, because the complexity of what lives
in any single origin is growing pretty rapidly. Sites put
attacker-controlled content inside framed gadgets or advertisements,
and can't be reasonably expected to understand that if such a frame is
navigated to in a particular way, it may circumvent an origin-scoped
check.

/mz
Received on Wednesday, 4 April 2012 22:25:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:07 GMT