- From: Kristof Zelechovski <giecrilj@stegny.2a.pl>
- Date: Fri, 26 Sep 2008 10:01:15 +0200
It seems the problem equally affects embedded objects can be loaded from a different origin as well. Chris _____ From: whatwg-bounces@lists.whatwg.org [mailto:whatwg-bounces at lists.whatwg.org] On Behalf Of Robert O'Callahan Sent: Friday, September 26, 2008 3:31 AM To: Michal Zalewski Cc: Maciej Stachowiak; whatwg at lists.whatwg.org Subject: Re: [whatwg] Dealing with UI redress vulnerabilities inherent tothe current web IMHO the basic problem here is allowing IFRAMEs to be cross-origin by default. That causes many problems, some of which you know well, and others you probably don't (e.g. http://lists.w3.org/Archives/Public/www-svg/2008Sep/0112.html ). In fact, in an ideal world, I think we'd default to same-origin restrictions on everything --- IFRAMEs, images, scripts, etc --- and use a spec like Access Controls to let sites opt-in to allowing their resources to be loaded from specific other origins. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080926/093915be/attachment.htm>
Received on Friday, 26 September 2008 01:01:15 UTC