- From: Adam Barth <whatwg@adambarth.com>
- Date: Sat, 13 Feb 2010 00:36:20 -0800
On Sat, Feb 13, 2010 at 12:08 AM, Michal Zalewski <lcamtuf at coredump.cx> wrote: >> Perhaps we want an "allow-frame-busting" directive? ?In the >> implementation we have an "allow-navigation" bit that covers >> navigation |top| as well as window.open, etc. ?Maybe we want a more >> general directive that twiddles this bit? > > I'm wondering if sites want to have control over the type of > navigation: navigating the top-level context versus opening a new > window? In particular, I am thinking about ads in embeddable gadgets > (on social sites, or in places such as Docs, Wave, etc): you do not > want the gadget to interfere with the presentation of the page by > triggering disruptive and unsolicited top frame transitions (as this > could be used for a crude DoS - in fact, IIRC, there is some history > along these lines), but you may bey OK with a pop-up ad following a > click. Yeah, I think there are use cases for both top-level navigation and window.open from sandboxed context. I suspect there's some trade off between complexity and fine-grained control. Adam
Received on Saturday, 13 February 2010 00:36:20 UTC