W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: CSP Level 2 last call comment

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 3 Sep 2014 15:00:58 +0200
Message-ID: <CADnb78hhZeb6U239FxunxZcaqikhrc+8G2atcDdcOhANZdDT7w@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Brad Hill <hillbrad@gmail.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, "Hill, Brad" <bhill@paypal.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Sep 3, 2014 at 2:31 PM, Mike West <mkwst@google.com> wrote:
> Ok. That sounds reasonable. I suppose an attacker who had already gotten a
> frame onto a page could embed a frame in that frame that could iterate
> through possible URLs. Since we already expose origins via
> `window.location.ancestorOrigins`, there's no additional risk in the origin
> case.
>
> WDYT of
> https://github.com/w3c/webappsec/commit/bdc66b7b704a944f4b0a03cfc79fb91c6fa31d65?

As far as I can tell ancestorOrigins is a proprietary extension. Until
that changes you might be introducing a hole here for browsers that do
not implement it?


-- 
http://annevankesteren.nl/
Received on Wednesday, 3 September 2014 13:01:31 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC