- From: Boris Zbarsky <bzbarsky@mit.edu>
- Date: Fri, 22 Aug 2014 10:03:12 -0400
- To: Mike West <mkwst@google.com>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>, Chris Palmer <palmer@google.com>, Ryan Sleevi <sleevi@google.com>, Anne van Kesteren <annevk@annevk.nl>
On 8/22/14, 9:58 AM, Mike West wrote: > Frames can be navigated to 'about:blank' across origins (via > window.opener, for instance). Sure. So for about:blank the origin is what matters. And for sandboxed about:blank you're really not quite sure where it came from, is that the issue? > Frames can't be navigated to an effective > 'about:srcdoc' (I think). Well, by setting the srcdoc attribute on the iframe, right? Is the claim that this is ok because only code that's same-origin with the iframe element can do that? But I thought we were talking about transports, not origins... -Boris
Received on Friday, 22 August 2014 14:03:42 UTC