Yes. I should have pulled the "walk up the tree" language over for srcdoc.
I'll fix that.
I'm less convinced that breaking 'about:blank' is a bug, though I'm sure
it's widely used. Would it be that bad to force about:blank frames to ask
for data from their parent via postMessage?
-mike
--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
On Fri, Aug 22, 2014 at 3:51 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> On 8/22/14, 5:37 AM, Mike West wrote:
>
>> 1. Sandboxed documents use the origin of their location in order to
>> determine authentication, rather than their actual origin. That is,
>> 'https://example.com/' would be considered "authenticated" even if
>> thrown into a sandbox which would give it a unique origin. This is in
>> line with bz's comments on [1] regarding "secure transport" vs "secure
>> origin".
>>
>
> I think this is broken as described.
>
> If I have an https://example.com page that has:
>
> <iframe srcdoc=whatever sandbox>
>
> then the "location" will be about:srcdoc but the transport is secure.
>
> Similar for about:blank iframes and so forth.
>
> -Boris
>
>