- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Sat, 13 Feb 2010 00:08:13 -0800
> Perhaps we want an "allow-frame-busting" directive? ?In the > implementation we have an "allow-navigation" bit that covers > navigation |top| as well as window.open, etc. ?Maybe we want a more > general directive that twiddles this bit? I'm wondering if sites want to have control over the type of navigation: navigating the top-level context versus opening a new window? In particular, I am thinking about ads in embeddable gadgets (on social sites, or in places such as Docs, Wave, etc): you do not want the gadget to interfere with the presentation of the page by triggering disruptive and unsolicited top frame transitions (as this could be used for a crude DoS - in fact, IIRC, there is some history along these lines), but you may bey OK with a pop-up ad following a click. /mz
Received on Saturday, 13 February 2010 00:08:13 UTC