Re: Defining secure-enough origins.

On 8/22/14, 9:58 AM, Mike West wrote:
> Frames can be navigated to 'about:blank' across origins (via
> window.opener, for instance).

Sure.  So for about:blank the origin is what matters.  And for sandboxed 
about:blank you're really not quite sure where it came from, is that the 

> Frames can't be navigated to an effective
> 'about:srcdoc' (I think).

Well, by setting the srcdoc attribute on the iframe, right?  Is the 
claim that this is ok because only code that's same-origin with the 
iframe element can do that?  But I thought we were talking about 
transports, not origins...


Received on Friday, 22 August 2014 14:03:42 UTC