- From: Kristof Zelechovski <giecrilj@stegny.2a.pl>
- Date: Mon, 29 Sep 2008 14:59:40 +0200
I am not sure I have understood Robert correctly but it seems obvious to me that if a site does not want to reveal its origin it cannot apply for a tighter cooperation; it will just be treated as any other site in the wild. And it is better not to rely on the user agent to do the right thing if possible. Chris _____ From: whatwg-bounces@lists.whatwg.org [mailto:whatwg-bounces at lists.whatwg.org] On Behalf Of Robert O'Callahan Sent: Monday, September 29, 2008 11:33 AM To: Hallvord R M Steen Cc: whatwg at lists.whatwg.org; Michal Zalewski; Smylers Subject: Re: [whatwg] Dealing with UI redress vulnerabilities inherent tothe current web That's good to have and we should definitely do it, but there are a couple of reasons "Same-Origin-Only-Unless- Access-Controls-Says-Otherwise" would be useful as well: -- a bit simpler to implement on the server -- for privacy reasons some UAs in some situations might not want to expose the origin to the IFRAME's server; allowing the origin check to happen on the client would handle that -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080929/7f052039/attachment.htm>
Received on Monday, 29 September 2008 05:59:40 UTC