W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2013

Re: [whatwg] AllowSeamless feedback

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 18 Jan 2013 14:40:17 +0100
Message-ID: <CADnb78j+p=8tj6z6T7j1ndE=DBxweWqeidms+ZQ5+w-KtX4vfg@mail.gmail.com>
To: Markus Ernst <derernst@gmx.ch>
Cc: whatwg@whatwg.org, Nasko Oskov <nasko@chromium.org>
On Tue, Jan 15, 2013 at 2:44 PM, Markus Ernst <derernst@gmx.ch> wrote:
> The allow-seamless mechanism is to be triggered at the side of the embedded
> resource, which would also be the one affected by possible security risks
> (if I get this right). The developer of this resource will have to be aware
> of these risks, and avoid to expose critical stuff in pages that allow
> seamless embedding.
>
> So, would it be possible to generally treat resources that allow seamless
> embedding as same-origin from the security POV?

No. And "AllowSameOrigin" would not work either. Because of scripting
one resource granting such access means exposing the entire origin to
attacks.


-- 
http://annevankesteren.nl/
Received on Friday, 18 January 2013 13:40:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:12 GMT