- From: Boris Zbarsky <bzbarsky@mit.edu>
- Date: Fri, 22 Aug 2014 09:51:39 -0400
- To: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- CC: Chris Palmer <palmer@google.com>, Ryan Sleevi <sleevi@google.com>, Anne van Kesteren <annevk@annevk.nl>
On 8/22/14, 5:37 AM, Mike West wrote: > 1. Sandboxed documents use the origin of their location in order to > determine authentication, rather than their actual origin. That is, > 'https://example.com/' would be considered "authenticated" even if > thrown into a sandbox which would give it a unique origin. This is in > line with bz's comments on [1] regarding "secure transport" vs "secure > origin". I think this is broken as described. If I have an https://example.com page that has: <iframe srcdoc=whatever sandbox> then the "location" will be about:srcdoc but the transport is secure. Similar for about:blank iframes and so forth. -Boris
Received on Friday, 22 August 2014 13:52:09 UTC