W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2013

Re: [whatwg] AllowSeamless feedback

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 18 Jan 2013 14:40:17 +0100
Message-ID: <CADnb78j+p=8tj6z6T7j1ndE=DBxweWqeidms+ZQ5+w-KtX4vfg@mail.gmail.com>
To: Markus Ernst <derernst@gmx.ch>
Cc: whatwg@whatwg.org, Nasko Oskov <nasko@chromium.org>
On Tue, Jan 15, 2013 at 2:44 PM, Markus Ernst <derernst@gmx.ch> wrote:
> The allow-seamless mechanism is to be triggered at the side of the embedded
> resource, which would also be the one affected by possible security risks
> (if I get this right). The developer of this resource will have to be aware
> of these risks, and avoid to expose critical stuff in pages that allow
> seamless embedding.
> So, would it be possible to generally treat resources that allow seamless
> embedding as same-origin from the security POV?

No. And "AllowSameOrigin" would not work either. Because of scripting
one resource granting such access means exposing the entire origin to

Received on Friday, 18 January 2013 13:40:42 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:19 UTC