W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2012

[whatwg] crossorigin property on iframe

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 12 Apr 2012 12:42:15 -0700
Message-ID: <CAJE5ia8F1OnCjfUMCy3cWOnOf3eue_1cCbWntQt-2sp5ry4WUw@mail.gmail.com>
Would this be transitive?  Suppose A allows B with CORS and B allows
C.  What happens when C includes a frame to B and B includes a frame
to A?  Can C access A?  Based on your description, it sounds like
"yes", but there's widespread evidence that transitive trust is
problematic.

Adam


On Thu, Apr 12, 2012 at 12:30 PM, Ojan Vafai <ojan at chromium.org> wrote:
> We should add a crossorigin property on iframe that causes the request to
> use CORS. If it's an allowed cross-domain request, then the page should
> have access to the DOM of the frame.
>
> Also, seamless should work (assuming the CORS request succeeded of
> course). One tricky thing here is that seamless needs to stop working if
> the frame is navigated to a different origin to which it does not have CORS
> access.
>
> Ojan
Received on Thursday, 12 April 2012 12:42:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:07 GMT