W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2012

[whatwg] Proposal: location.parentOrigin

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 5 Apr 2012 18:07:05 +0000 (UTC)
Message-ID: <Pine.LNX.4.64.1204051759050.22654@ps20323.dreamhostps.com>
On Wed, 4 Apr 2012, Michal Zalewski wrote:
>
> In fact, in the vein of opt-in disclosure perhaps something like 
> discloselocation={none|origin|full} would be more convenient - in which 
> case, you get something like 
> window.parentLocations[n].{origin|href|hash|...}
> 
> I constantly fear that origin scoping for security mechanisms is too 
> coarse-grained in many use cases, because the complexity of what lives 
> in any single origin is growing pretty rapidly. Sites put 
> attacker-controlled content inside framed gadgets or advertisements, and 
> can't be reasonably expected to understand that if such a frame is 
> navigated to in a particular way, it may circumvent an origin-scoped 
> check.

Tab suggests (on IRC) that this should just be tied to sandbox="", which 
seems reasonable at first blush.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 5 April 2012 11:07:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:07 GMT