Re: Defining secure-enough origins. from Mike West on 2014-08-22 (public-webappsec@w3.org from August 2014)

From: Mike West <mkwst@google.com>
Date: Fri, 22 Aug 2014 19:41:16 +0200
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Chris Palmer <palmer@google.com>, Ryan Sleevi <sleevi@google.com>, Anne van Kesteren <annevk@annevk.nl>
Message-ID: <CAKXHy=egijRfFsiXRTk90ScYmSOYYdoGDXKq_MLKMTE40G55SQ@mail.gmail.com>

On Fri, Aug 22, 2014 at 5:11 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:

> On 8/22/14, 10:21 AM, Mike West wrote:
>
>> Using location won't work, as you've noted. Walking up the chain in a
>> similar way to about:srcdoc would work.
>>
>
> Would it?  Your point about being able to navigate to about:blank is a
> good one.
>
> That said, I've been thinking about this a bit more and I think there
> isn't actually an issue here.  If the about:blank is not sandboxed, its
> origin is usable.  If it's sandboxed, then how would it ever end up with
> any nontrivial content?

That is a very good point. :)

I've addressed the srcdoc bit with
https://github.com/w3c/webappsec/commit/65936518b3dc2fb77e9437e01826c58e2a50da5f
.

Thoughts about 'data:'? I don't really think doing taint-checking on
'data:' URL navigations is worth it (or easily implementable).

-mike

Received on Friday, 22 August 2014 17:42:04 UTC