W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2013

Re: [whatwg] AllowSeamless feedback

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Fri, 18 Jan 2013 11:20:06 -0500
Message-ID: <50F97636.6000107@mit.edu>
To: whatwg@lists.whatwg.org
On 1/18/13 8:40 AM, Anne van Kesteren wrote:
> On Tue, Jan 15, 2013 at 2:44 PM, Markus Ernst <derernst@gmx.ch> wrote:
>> The allow-seamless mechanism is to be triggered at the side of the embedded
>> resource, which would also be the one affected by possible security risks
>> (if I get this right). The developer of this resource will have to be aware
>> of these risks, and avoid to expose critical stuff in pages that allow
>> seamless embedding.
>>
>> So, would it be possible to generally treat resources that allow seamless
>> embedding as same-origin from the security POV?
>
> No. And "AllowSameOrigin" would not work either. Because of scripting
> one resource granting such access means exposing the entire origin to
> attacks.

I'm not sure why.

It sounded to me like the proposal was that if a resource is flagged as 
AllowSameOrigin and loaded in an iframe then the origin it gets is an 
alias for the origin of the ownerDocument of the iframe (basically the 
way data: or srcdoc work).  That seems like it wouldn't expose too 
much... except for niggling issues around code that uses location.href 
to determine origins.  :(

-Boris
Received on Friday, 18 January 2013 16:20:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:12 GMT