W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2012

[whatwg] keepalive attribute on iframe

From: Ryosuke Niwa <rniwa@webkit.org>
Date: Tue, 17 Apr 2012 20:58:02 -0700
Message-ID: <CABNRm605zP1rMyot0c0ahEgXjHS+dpHQoss=FP+sHVLNf=oqsg@mail.gmail.com>
On Tue, Apr 17, 2012 at 8:35 PM, Dmitry Titov <dimich at chromium.org> wrote:

> Would some sort of a same-origin policy help here? If both the iframe and
> parent document are same origin, can it be done, at least for the
> reparenting in the same JS execution block? Most (all?) of the security
> issues were specifically cross-origin.
>

If I remember correctly, some of bugs we've had weren't about cross-origin
iframes. It was about not being able to infer the correct origin in a
detached iframe. So yes, they were cross-origin bugs because we ended up
executing scripts we shouldn't be executing but that's not because iframes
were cross-origin to begin with.

But yes, there are a lot of assumptions in the code about not only iframes,
> but most active objects to function only while they are connected all the
> way through to the valid DOM. There is too many APIs (and new ones are
> coming all the time) who pick up that assumption. It is not impossible,
> just a lot of work.
>

I would go as far as to say it's practically impossible.

- Ryosuke
Received on Tuesday, 17 April 2012 20:58:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:07 GMT