W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2008

[whatwg] Dealing with UI redress vulnerabilities inherent tothe current web

From: Kristof Zelechovski <giecrilj@stegny.2a.pl>
Date: Mon, 29 Sep 2008 14:59:40 +0200
Message-ID: <B7CAEB49EEF646C185624AEA1AB442B5@POCZTOWIEC>
I am not sure I have understood Robert correctly but it seems obvious to me
that if a site does not want to reveal its origin it cannot apply for a
tighter cooperation; it will just be treated as any other site in the wild.
And it is better not to rely on the user agent to do the right thing if
possible.

Chris

 

  _____  

From: whatwg-bounces@lists.whatwg.org
[mailto:whatwg-bounces at lists.whatwg.org] On Behalf Of Robert O'Callahan
Sent: Monday, September 29, 2008 11:33 AM
To: Hallvord R M Steen
Cc: whatwg at lists.whatwg.org; Michal Zalewski; Smylers
Subject: Re: [whatwg] Dealing with UI redress vulnerabilities inherent tothe
current web

 

That's good to have and we should definitely do it, but there are a couple
of reasons "Same-Origin-Only-Unless-

Access-Controls-Says-Otherwise" would be useful as well:
-- a bit simpler to implement on the server
-- for privacy reasons some UAs in some situations might not want to expose
the origin to the IFRAME's server; allowing the origin check to happen on
the client would handle that

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080929/7f052039/attachment.htm>
Received on Monday, 29 September 2008 05:59:40 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:05 UTC