Re: Sandboxed iframes (was Re: Seamless iframes + CSS3 selectors = bad idea) from Ian Hickson on 2009-12-06 (public-web-security@w3.org from December 2009)

From: Ian Hickson <ian@hixie.ch>
Date: Sun, 6 Dec 2009 09:38:14 +0000 (UTC)
To: "sird@rckc.at" <sird@rckc.at>
Cc: public-web-security@w3.org
Message-ID: <Pine.LNX.4.62.0912060937130.5629@hixie.dreamhostps.com>

On Sun, 6 Dec 2009, sird@rckc.at wrote:
>
> ian, isnt allow-same-origin confusing? since if its same origin what 
> stops you from linking it and bypassing those protections.

allow-same-origin is only really intended to be used with the 
aforementioned doc="" attribute idea (eventually) and data: URIs (in the 
meantime). The example you mention is indeed misleading.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Sunday, 6 December 2009 09:38:42 UTC