- From: Ian Hickson <ian@hixie.ch>
- Date: Sun, 6 Dec 2009 10:30:50 +0000 (UTC)
- To: Maciej Stachowiak <mjs@apple.com>
- Cc: "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
On Sun, 6 Dec 2009, Maciej Stachowiak wrote: > On Dec 6, 2009, at 1:38 AM, Ian Hickson wrote: > > On Sun, 6 Dec 2009, sird@rckc.at wrote: > > > > > > ian, isnt allow-same-origin confusing? since if its same origin what > > > stops you from linking it and bypassing those protections. > > > > allow-same-origin is only really intended to be used with the > > aforementioned doc="" attribute idea (eventually) and data: URIs (in > > the meantime). The example you mention is indeed misleading. > > It seems like a data: URI would not do the trick, since it already has a > unique origin, so allow-same-origin would not do what it is intended to. > I believe you would have to document.write() into the iframe's content > document (after loading about:blank), or load it with a javascript: URI > containing a constant string. The origin of a data: Document is the same as its parent browsing context's Document's origin. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Sunday, 6 December 2009 10:31:19 UTC