W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: CSP Level 2 last call comment

From: Boris Zbarsky <bzbarsky@mit.edu>
Date: Wed, 03 Sep 2014 11:07:23 -0400
Message-ID: <54072EAB.2000807@mit.edu>
To: public-webappsec@w3.org
On 9/3/14, 8:31 AM, Mike West wrote:
> Ok. That sounds reasonable. I suppose an attacker who had already gotten
> a frame onto a page could embed a frame in that frame that could iterate
> through possible URLs. Since we already expose origins via
> `window.location.ancestorOrigins`

For some values of "we".  It's not clear to me that "we" actually wants 
to expose that information cross-origin....

-Boris
Received on Wednesday, 3 September 2014 15:07:52 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC