- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 4 Apr 2012 01:54:14 +0000 (UTC)
On Tue, 3 Apr 2012, Adam Barth wrote: > On Tue, Apr 3, 2012 at 4:32 PM, Ian Hickson <ian at hixie.ch> wrote: > > On Tue, 3 Apr 2012, Adam Barth wrote: > >> Talking with some folks off-list, there are also use cases for knowing > >> the origin of the top-most document. > > > > Could you elaborate on those use cases? (And also those for parent.origin, > > though those seem more obvious, e.g. disabling features to protect against > > clickjacking in unauthorised embeddings.) > > The use case is the same as in the previous email, specifically: > > ---8<--- > Some widgets want to behave differently depending on the context in > which they are embedded. For example, a payment widget might want to > send the user to a confirmation page for most web sites but might be > confortable with a more streamlined user experience when embedded on a > whitelist of sites with which they have a contractual relationship. > --->8--- > > The payment widget might care about all of its ancestors. For example, > suppose the payment operator has a relationship with store.example.com. > They might wish to fall back to using a confirmation page if > store.example.com is embedded as a frame in another web site (e.g., > pintrest). Why don't they just ask the parent frame for their parent's origin, since they trust them? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 3 April 2012 18:54:14 UTC