Re: Defining secure-enough origins.

On 8/22/14, 5:37 AM, Mike West wrote:
> 1. Sandboxed documents use the origin of their location in order to
> determine authentication, rather than their actual origin. That is,
> 'https://example.com/' would be considered "authenticated" even if
> thrown into a sandbox which would give it a unique origin. This is in
> line with bz's comments on [1] regarding "secure transport" vs "secure
> origin".

I think this is broken as described.

If I have an https://example.com page that has:

   <iframe srcdoc=whatever sandbox>

then the "location" will be about:srcdoc but the transport is secure.

Similar for about:blank iframes and so forth.

-Boris

Received on Friday, 22 August 2014 13:52:09 UTC