- From: Brad Hill <hillbrad@gmail.com>
- Date: Tue, 4 Nov 2014 11:54:17 -0800
- To: Sean Snider <ssnider@yahoo-inc.com>
- Cc: Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> 2.) host / parent simply puts something in the URL or data that can be accessed, > > a.) but that cannot be validated at all. . . You don't have to validate it. Parent window says in a GET parameter, "I am example.com" Child iframe sends post message scoped to "example.com". (assuming it passes reputation test) If the parent lied and is not really example.com, the browser will deny it access to the labeled message. Isn't that good enough?
Received on Tuesday, 4 November 2014 19:54:43 UTC