W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: Frame Ancestors and Referrer (Re: [webappsec] Call for Consensus: Stop work on Content Security Policy 1.0, transition to WG Note)

From: Mike West <mkwst@google.com>
Date: Fri, 24 Oct 2014 21:10:06 +0200
Message-ID: <CAKXHy=c+unzE+T43jhUTv5m1ZxSMd4Mz-ggj1hmb68g52NOFUQ@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Oct 24, 2014 at 8:48 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:

> On 10/24/14, 7:13 AM, Anne van Kesteren wrote:
>
>> We might be ready to reconsider this.
>>
>
> For some values of "we"... ;)
>
>  I was wondering though whether
>> the API can still be made asynchronous given everyone's out-of-process
>> <iframe> aspirations.
>>
>
> Why bother?
>
> The returned thing is an invariant of the browsing context (and hence of
> any Window in that browsing context, etc).  So you can just save it when
> initially creating the browsing context and then you always have it
> in-process when you need it, I think.


Chromium's OOP frames work is indeed taking this route: we need synchronous
origin checks all over the place, so that team is propagating the frame
tree into each renderer, and doing the work to keep it synchronized. Let's
see if they're successful!

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 24 October 2014 19:10:56 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC