W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: XHR without user credentials

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 09 Jun 2009 09:54:36 +0200
To: "Mark S. Miller" <erights@google.com>, "Jonas Sicking" <jonas@sicking.cc>
Cc: "Tyler Close" <tyler.close@gmail.com>, "Adam Barth" <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
Message-ID: <op.uu8yxarn64w2qv@annevk-t60>
On Tue, 09 Jun 2009 03:39:19 +0200, Mark S. Miller <erights@google.com> wrote:
> This use-case was the motivation for ADsafe, though any of the JavaScript
> sanitizers would do.
> Without some such sanitization technology, it remains unsafe to load
> untrusted ads directly on your page. Adam and I are still arguing fine
> points of just how unsafe, but there's no question that the answer is at
> least "too unsafe".
> With GuestXMLHttpRequest, such sanitized ads could be allowed to call  
> home safely without being able to impersonate their containing page's origin.

Why can such ads not be embedded using a seamless sandboxed <iframe> from HTML5?

Anne van Kesteren
Received on Tuesday, 9 June 2009 07:55:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:54 UTC