- From: Silvia Pfeiffer <silviapfeiffer1@gmail.com>
- Date: Wed, 12 Nov 2008 16:26:19 +1100
On Wed, Nov 12, 2008 at 3:02 PM, Robert O'Callahan <robert at ocallahan.org> wrote: > On Wed, Nov 12, 2008 at 4:22 PM, Tim Starling <tstarling at wikimedia.org> > wrote: >> >> JavaScript already has measures along the lines of (2), in the context >> of frames. The information a script can obtain about a frame from a >> different origin is carefully restricted. I think that a similar >> solution would be best. It has the advantage of consistency and proven >> security. > > > I would say it has a history of proven *insecurity*. Look at clickjacking > for example. > > Anyway, having discussed this with Hixie and Maciej and others a bit on > #whatwg, things seem to be leaning towards option 2. While my gut feeling tells me that this is the right solution - would you mind sharing some of the reasoning as discussed on irc? Thanks, Silvia.
Received on Tuesday, 11 November 2008 21:26:19 UTC