Re: [whatwg/fetch] From-Origin (#687)

I think john's comment is related to:

> Does From-Origin: SameSite (or however we end up spelling it), walk up the ancestor tree, or do we base the check purely on the initiating origin? We've recently fixed X-Frame-Options: SAMEORIGIN to align with frame-ancestors by checking the entire tree, and I'd suggest that that's the right behavior here as well.

My understanding is that the simple check on the initiating origin is probably good enough but I may be overlooking things here.
AIUI, there might be some attacks whenever there is any cross-origin iframe loaded in the same process, at the time of the load or after the load.
Going through the ancestor tree or even through the list of frames in a process will not give a full protection.
And I am not sure this will be useful at all in case of out-of-process iframes.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/687#issuecomment-379485708

Received on Saturday, 7 April 2018 17:26:52 UTC