W3C home > Mailing lists > Public > www-html@w3.org > March 2002

Re: src attribute of IFRAME and FRAME

From: Johnny Stenback <jst@netscape.com>
Date: Fri, 15 Mar 2002 17:09:26 -0800
Message-ID: <3C929B46.3030109@netscape.com>
To: "Benjamin D. Gray" <BDGray@uwyo.edu>
CC: www-html@w3.org, WWW DOM <www-dom@w3.org>, Brian Bober <netdemonz@yahoo.com>
No, the URI of the frame is never readable from a document unless the 
document comes from the same host that the frame comes from (unless you 
change document.domain). It doesn't matter if the document that is 
trying to access the src is the document that contains the frame. 
Imagine yourself browsing to evil.com and they put up a whole page frame 
and load some other site into that frame, from there on, evil.com could 
track what pages you're browsing in that window w/o you knowing it until 
you cause the surrounding frame to be unloaded. That would not be 
acceptable from a privacy point of view.

Benjamin D. Gray wrote:
> Is the URI of the document within the frame at least readable by the
> surrounding frames or main document?
> 
> Benjamin D. Gray
> 
> -----Original Message-----
> From: Philippe Le Hegaret [mailto:plh@w3.org]
> Sent: Monday, February 11, 2002 12:16 pm
> To: Brian Bober
> Cc: www-html@w3.org; WWW DOM
> Subject: Re: src attribute of IFRAME and FRAME
> For security reasons, it is important not to let the user access the URI
> of the other document. src is not dynamically updated and we don't plan
> to add a new attribute for that effect.
> 
> Please, let us know if you are (or are not) satisfy with this decision,
> 
> Philippe,
> for the DOM WG.
> 


-- 
jst
Received on Friday, 15 March 2002 20:09:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:15:50 GMT