- From: Adam Barth <w3c@adambarth.com>
- Date: Tue, 22 Feb 2011 01:01:11 -0800
- To: gaz Heyes <gazheyes@gmail.com>
- Cc: "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
On Tue, Feb 22, 2011 at 12:52 AM, gaz Heyes <gazheyes@gmail.com> wrote: > On 22 February 2011 00:42, Adam Barth <w3c@adambarth.com> wrote: >> > 1. When sandbox kicks in, I get a unique origin right? >> >> Yes. > > How does this unique origin work? I can't find it defined anywhere. It's defined in HTML5. > I see a couple of problems with it.... > > 1. If the unique origin is defined in the url what happens when a link is > clicked, does it send the referrer? It does send the Referer. > 2. If the unique origin is different than the URL itself then how can that > work since same origin policy will be broken The same-origin policy is not broken. > 3. Lets say the unique origin uses the about protocol, is each unique > protocol classed as a separate domain on each browser, e.g. about:1, about:2 > can you set cookies on about:1 then can be read by about:2 The unique origin does not use the about scheme. > 4. What if a sandbox allows JavaScript and the location is written > somewhere, would that expose the unique origin? I'm not sure what you mean by that. In any case, you're welcome to try it out. Grab a WebKit nightly build and create an iframe with the sandbox attribute. That will give you a document with a unique origin. Adam
Received on Tuesday, 22 February 2011 09:02:16 UTC