[whatwg] Same-origin checking for media elements

On Wed, Nov 12, 2008 at 3:02 PM, Robert O'Callahan <robert at ocallahan.org> wrote:
> On Wed, Nov 12, 2008 at 4:22 PM, Tim Starling <tstarling at wikimedia.org>
> wrote:
>> JavaScript already has measures along the lines of (2), in the context
>> of frames. The information a script can obtain about a frame from a
>> different origin is carefully restricted. I think that a similar
>> solution would be best. It has the advantage of consistency and proven
>> security.
> I would say it has a history of proven *insecurity*. Look at clickjacking
> for example.
> Anyway, having discussed this with Hixie and Maciej and others a bit on
> #whatwg, things seem to be leaning towards option 2.

While my gut feeling tells me that this is the right solution - would
you mind sharing some of the reasoning as discussed on irc?


Received on Tuesday, 11 November 2008 21:26:19 UTC