W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

Re: [powerful features] Secure Contexts and Framed Documents

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 13 Jan 2016 18:25:35 +0100
Message-ID: <CADnb78g6CK2b7tVV+AerWPSHdeQD4uCW6ch=MTRssqzgD7pXmg@mail.gmail.com>
To: Joel Weinberger <jww@chromium.org>
Cc: Rich Tibbett <rich.tibbett@gmail.com>, WebAppSec WG <public-webappsec@w3.org>
On Wed, Jan 13, 2016 at 6:21 PM, Joel Weinberger <jww@chromium.org> wrote:
> Part of the issue is that even if a frame does 'everything' right (and I
> don't really know what 'everything' would mean, so as Anne requested, it
> would be good to make that clear), it would be extremely difficult to
> present permission decisions to the user in a meaningful way. Origins are
> already hard enough to present, and if you have a secure origin requesting a
> permission within a secure frame, how would the user agent present this in a
> way to meaningfully convey the weird security layering going on?

Yeah, allowing permission prompts from origins that do not match the
origin of the address bar has been a big mistake. I hope we can phase
that out over time.

Received on Wednesday, 13 January 2016 17:25:59 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC