- From: Nick Vidal <nick@iss.im>
- Date: Mon, 6 Sep 2010 16:46:02 -0300
Hi Adam, > allow-top-navigation only allows writing to the top frames location. > The security vulnerability would be *reading* the location. Hum... you are right. I just reread the specs and now I see that this would be the top-down equivalent to *writing* to a child iframe using src. I misread the specs believing you could *read* the top frame's location, which by symmetry led me to believe that you could also *read* from the top-down. My fault! > What is a trusted source? There's no such thing in the web platform. Except for the browser, at least theoretically. So if you could extend this trust to the Webtop by guaranteeing that it's the top-most authority, then just like the browser the Webtop could have access to every children's history. So I guess the top-down/bottom-up symmetry is not so symmetric after all! Anyways, thanks for clearing this out! Kind regards, Nick
Received on Monday, 6 September 2010 12:46:02 UTC