- From: Maciej Stachowiak <mjs@apple.com>
- Date: Sun, 06 Dec 2009 02:03:59 -0800
- To: Ian Hickson <ian@hixie.ch>
- Cc: "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
On Dec 6, 2009, at 1:38 AM, Ian Hickson wrote: > On Sun, 6 Dec 2009, sird@rckc.at wrote: >> >> ian, isnt allow-same-origin confusing? since if its same origin what >> stops you from linking it and bypassing those protections. > > allow-same-origin is only really intended to be used with the > aforementioned doc="" attribute idea (eventually) and data: URIs (in > the > meantime). The example you mention is indeed misleading. It seems like a data: URI would not do the trick, since it already has a unique origin, so allow-same-origin would not do what it is intended to. I believe you would have to document.write() into the iframe's content document (after loading about:blank), or load it with a javascript: URI containing a constant string. Regards, Maciej
Received on Sunday, 6 December 2009 10:04:33 UTC