- From: Brian Smith <brian@briansmith.org>
- Date: Wed, 11 Feb 2015 14:31:25 -0800
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: Jim Manico <jim.manico@owasp.org>, Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Devdatta Akhawe <dev.akhawe@gmail.com> wrote: > Isn't one explicit motivation for sub-origins the limitations of > sandbox bought up here? See intro section in > https://metromoxie.github.io/webappsec/specs/suborigins/. Maybe it > might be enough to support the ad and third party widget use cases too. Yes, the suborigin document is what got me thinking about improving iframe sandbox in the first place. In particular, the suborigin document says, basically, that because iframe sandbox does not work for some use cases, something completely different is needed. I'm trying to understand why we can't just improve iframe sandbox instead, at least for the embedded content case. I understand that there is still the issue of being able to have https://www.google.com/maps isolated from the rest of https://www.google.com/, but I think it may be useful to approach that issue separately from the embedding issue. Cheers, Brian
Received on Wednesday, 11 February 2015 22:31:52 UTC