- From: Chris Palmer <palmer@google.com>
- Date: Mon, 28 Mar 2016 12:39:52 -0700
- To: Craig Francis <craig.francis@gmail.com>
- Cc: WebAppSec WG <public-webappsec@w3.org>
Received on Monday, 28 March 2016 19:40:21 UTC
I'm not a huge fan of letting cross-origin iframes get access to the textContent of any element in the embedder's DOM. It's potentially a privacy and security nightmare. For example, what if public content is blended in with private content in the embedder's DOM? The embedee could drive around looking for it. Not cool. And, yes, another synchronous API is a bummer. I'd much rather have the embedder explicitly pass the relevant text to the embedee by some means, either postMessage, an iframe element attribute, or URL query parameters. Yes, it requires ad tech developers to do a little work. But, if they want to get paid, they have to do a little work. And the heat is on them now to stop egregiously violating people's privacy and security on the web. The good news is, they are starting to see that: http://www.iab.com/adopting-encryption-the-need-for-https/.
Received on Monday, 28 March 2016 19:40:21 UTC