I'm fairly certain that all modern browsers which don't implement
ancestorOrigins do implement the 'allow-from' extension to
'X-Frame-Options', which exposes the same information via the same
brute-force attack.
-mike
--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
On Wed, Sep 3, 2014 at 3:00 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Wed, Sep 3, 2014 at 2:31 PM, Mike West <mkwst@google.com> wrote:
> > Ok. That sounds reasonable. I suppose an attacker who had already gotten
> a
> > frame onto a page could embed a frame in that frame that could iterate
> > through possible URLs. Since we already expose origins via
> > `window.location.ancestorOrigins`, there's no additional risk in the
> origin
> > case.
> >
> > WDYT of
> >
> https://github.com/w3c/webappsec/commit/bdc66b7b704a944f4b0a03cfc79fb91c6fa31d65
> ?
>
> As far as I can tell ancestorOrigins is a proprietary extension. Until
> that changes you might be introducing a hole here for browsers that do
> not implement it?
>
>
> --
> http://annevankesteren.nl/
>