W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: Frame Ancestors and Referrer (Re: [webappsec] Call for Consensus: Stop work on Content Security Policy 1.0, transition to WG Note)

From: Brad Hill <hillbrad@gmail.com>
Date: Tue, 4 Nov 2014 11:54:17 -0800
Message-ID: <CAEeYn8h83ceXDbmLq-AkvddCqZTD65Z3+gncy4EZWifAzC0=zQ@mail.gmail.com>
To: Sean Snider <ssnider@yahoo-inc.com>
Cc: Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> 2.) host / parent simply puts something in the URL or data that can be accessed,
>   a.) but that cannot be validated at all. . .

You don't have to validate it.  Parent window says in a GET parameter,
"I am example.com"  Child iframe sends post message scoped to
"example.com". (assuming it passes reputation test)

If the parent lied and is not really example.com, the browser will
deny it access to the labeled message.  Isn't that good enough?
Received on Tuesday, 4 November 2014 19:54:43 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:42 UTC