- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 6 Sep 2010 12:11:20 -0700
On Mon, Sep 6, 2010 at 11:48 AM, Nick Vidal <nick at iss.im> wrote: >>> By bookmark, I mean the Webtop being able to read the current location >>> of the website and saving that to the server-side. By save a session, >>> I mean the Webtop being able to read the location of all iframes it >>> created and saving that to the server-side for later retrieval. >> >> Reading the location of an iframe across origins is a security >> vulnerability. ?We're not going to allow that. ?You're of course free >> to remember where you directed the frame initially, but you won't be >> able to figure out what URL the frame is currently displaying. > > Does it really represent a security vulnerability? Yes. > Even when the Webtop is a trusted-source? What is a trusted source? There's no such thing in the web platform. > And if allow-bottom-navigation is a vulnerability, wouldn't allow-top-navigation be one too? allow-top-navigation only allows writing to the top frames location. The security vulnerability would be *reading* the location. Adam
Received on Monday, 6 September 2010 12:11:20 UTC