- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Wed, 4 Apr 2012 22:15:27 -0700
I can think of some fringe scenarios where disclosing parent origins may be somewhat undesirable. One example may be a "double-bagged" advertisement, where the intent is to not tell the advertiser about the top-level page the ad is embedded on (visited site -> <iframe> pointing to the ad provider site -> <iframe> with embedded advertiser content). Not sure if there's anything more convincing, but perhaps it's desirable to obtain constent from parents before populating the array (e.g. <iframe discloseorigin=yes>). If a member of the chain doesn't consent, the corresponding element of the array is null / undefined / an empty string? /mz
Received on Wednesday, 4 April 2012 22:15:27 UTC