W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

Re: [webappsec] UISecurity input protection: same origin or same document?

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 31 Oct 2013 17:52:16 +0000
Message-ID: <CADnb78jviYgkWyCr=E0xDbgEOJftq9e8yX7z9KwN5NALVPgSMg@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Oct 31, 2013 at 5:25 PM, Brad Hill <hillbrad@gmail.com> wrote:
> The current input protection heuristic says that repaint events or
> obstructions caused by a different document trigger a violation.
> As it is likely that user agents may composite together rendering of nested
> iframes from the same origin, are there any objections to weakening the
> heuristic from being same-document to merely same-origin, to avoid another
> implementation barrier here?

It seems likely for <iframe seamless> (which we want cross-origin too)
but I might be missing what this is about.

Received on Thursday, 31 October 2013 17:52:47 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC