W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2008

[whatwg] Same-origin checking for media elements

From: Silvia Pfeiffer <silviapfeiffer1@gmail.com>
Date: Wed, 12 Nov 2008 16:26:19 +1100
Message-ID: <2c0e02830811112126r4b3fe7fej8f6d287697d211fa@mail.gmail.com>
On Wed, Nov 12, 2008 at 3:02 PM, Robert O'Callahan <robert at ocallahan.org> wrote:
> On Wed, Nov 12, 2008 at 4:22 PM, Tim Starling <tstarling at wikimedia.org>
> wrote:
>>
>> JavaScript already has measures along the lines of (2), in the context
>> of frames. The information a script can obtain about a frame from a
>> different origin is carefully restricted. I think that a similar
>> solution would be best. It has the advantage of consistency and proven
>> security.
>
>
> I would say it has a history of proven *insecurity*. Look at clickjacking
> for example.
>
> Anyway, having discussed this with Hixie and Maciej and others a bit on
> #whatwg, things seem to be leaning towards option 2.

While my gut feeling tells me that this is the right solution - would
you mind sharing some of the reasoning as discussed on irc?

Thanks,
Silvia.
Received on Tuesday, 11 November 2008 21:26:19 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:07 UTC