W3C home > Mailing lists > Public > www-dom@w3.org > January to March 2002

RE: src attribute of IFRAME and FRAME

From: Brian Bober <netdemonz@yahoo.com>
Date: Thu, 28 Feb 2002 23:24:08 -0500
To: <www-html@w3.org>, <www-dom@w3.org>
Cc: <BDGray@uwyo.edu>
Message-ID: <003401c1c0d8$eef88d60$1f871918@NETDEMON3>
Benjamin D. Gray: The URI of the document within the frame is not
readable by the document outside the frame.

Phillipe: at least the document outside the frame should have some way
of  knowing that the frame's URI was change. I don't know if this is
currently in the standard or not.

I don't see how this is a huge security risk. Any information that
should be secured (passwords, etc) shouldn't be put in the URI of a
document. As for passwords to servers, such as ftp://user:pass@blah, the
user agent can strip the user:pass part of the URI. I could see many
uses for this ability. For instance...

An embedding application could show information like stocks, etc while
you are browsing.

A web page could do the same thing in a frame while you are browsing in
another frame. It could then show in a textarea where you are and you
could even enter new URIs in the textarea and press Go, etc. 

If you think it's too much of a security risk to be able to do this,
then what about being able to use the src attribute of the frame
indirectly, such as copying it to a textarea, etc - but not being able
to record it? When you write to the textarea, the textarea could be
marked as no longer readable by the page until its cleared.

-----Original Message-----
From: www-dom-request@w3.org [mailto:www-dom-request@w3.org] On Behalf
Of Philippe Le Hegaret
Sent: Monday, February 11, 2002 2:16 PM
To: Brian Bober
Cc: www-html@w3.org; WWW DOM
Subject: Re: src attribute of IFRAME and FRAME

On Sun, 2001-12-02 at 23:38, Brian Bober wrote:
> HTML and DOM stickers:
> 
> Please CC me on any replies.
> 
> 1) Frames
> 
> In the HTML specs, it says that the src attribute should be the
original
> content of the frame, but it doesn't say whether you are allowed to
> dynamically update it. If you aren't officially allowed to dynamically
> update it, then it is an error with the standard, otherwise it is an
> error with the documentation. You should be allowed to update frames
in
> DOM and if that isn't the intent of the DOM standard, then it needs to
> be added. Is there any errata on this?

For security reasons, it is important not to let the user access the URI
of the other document. src is not dynamically updated and we don't plan
to add a new attribute for that effect.

Please, let us know if you are (or are not) satisfy with this decision,

Philippe,
for the DOM WG.


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
Received on Thursday, 28 February 2002 23:24:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 22 June 2012 06:13:55 GMT