W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2012

[whatwg] Fixing two security vulnerabilities in registerProtocolHandler

From: Tyler Close <tyler.close@gmail.com>
Date: Mon, 9 Apr 2012 16:36:32 -0700
Message-ID: <CAKvcKKnEDavBV4W2jWaH1-yBBQazaccj=sqg59Y1-Oggn6NbDA@mail.gmail.com>
On Mon, Apr 9, 2012 at 4:17 PM, Jonas Sicking <jonas at sicking.cc> wrote:
> Why is this so complicated?
>
> It seems clear to me that there is a use-case for sending a message to
> your parent frame, but only wanting to do so when your parent frame is
> from the same origin as you.

I think there's also a use case for securely sending a message to your
original window.open()'er, such that it can't be intercepted by any
page that can navigate your window.open()'er.

That means a page needs to know the Origin of its window.open()'er,
which may be different from the page's own Origin.

--Tyler
Received on Monday, 9 April 2012 16:36:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:07 GMT