W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

[webappsec] UISecurity input protection: same origin or same document?

From: Brad Hill <hillbrad@gmail.com>
Date: Thu, 31 Oct 2013 10:25:55 -0700
Message-ID: <CAEeYn8j_dVp2f30rHzZeNOt-+VTdsG=yLxFGHi93Em2AvKnN=Q@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
The current input protection heuristic says that repaint events or
obstructions caused by a different document trigger a violation.

As it is likely that user agents may composite together rendering of nested
iframes from the same origin, are there any objections to weakening the
heuristic from being same-document to merely same-origin, to avoid another
implementation barrier here?

-Brad
Received on Thursday, 31 October 2013 17:26:23 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC