- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 3 Sep 2014 15:00:58 +0200
- To: Mike West <mkwst@google.com>
- Cc: Brad Hill <hillbrad@gmail.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, "Hill, Brad" <bhill@paypal.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Sep 3, 2014 at 2:31 PM, Mike West <mkwst@google.com> wrote: > Ok. That sounds reasonable. I suppose an attacker who had already gotten a > frame onto a page could embed a frame in that frame that could iterate > through possible URLs. Since we already expose origins via > `window.location.ancestorOrigins`, there's no additional risk in the origin > case. > > WDYT of > https://github.com/w3c/webappsec/commit/bdc66b7b704a944f4b0a03cfc79fb91c6fa31d65? As far as I can tell ancestorOrigins is a proprietary extension. Until that changes you might be introducing a hole here for browsers that do not implement it? -- http://annevankesteren.nl/
Received on Wednesday, 3 September 2014 13:01:31 UTC