Re: Sandboxed iframes (was Re: Seamless iframes + CSS3 selectors = bad idea) from Adam Barth on 2009-12-06 (public-web-security@w3.org from December 2009)

From: Adam Barth <w3c@adambarth.com>
Date: Sun, 6 Dec 2009 08:34:46 -0800
To: Ian Hickson <ian@hixie.ch>
Cc: "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
Message-ID: <7789133a0912060834w10822a69ke8e2ffd6544eac1f@mail.gmail.com>

On Sun, Dec 6, 2009 at 1:38 AM, Ian Hickson <ian@hixie.ch> wrote:
> On Sun, 6 Dec 2009, sird@rckc.at wrote:
>> ian, isnt allow-same-origin confusing? since if its same origin what
>> stops you from linking it and bypassing those protections.
>
> allow-same-origin is only really intended to be used with the
> aforementioned doc="" attribute idea (eventually) and data: URIs (in the
> meantime). The example you mention is indeed misleading.

Plenty of people will screw this up, but I'm not sure how best to help
them.  One mitigating factor is that developers know that old browsers
don't support @sandbox.  I'm not sure what happens when that's no
longer the case (but thankfully (!), old browsers will with us for a
long time).

Adam

Received on Sunday, 6 December 2009 16:35:39 UTC