- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Wed, 4 Apr 2012 22:25:11 -0700
In fact, in the vein of opt-in disclosure perhaps something like discloselocation={none|origin|full} would be more convenient - in which case, you get something like window.parentLocations[n].{origin|href|hash|...} I constantly fear that origin scoping for security mechanisms is too coarse-grained in many use cases, because the complexity of what lives in any single origin is growing pretty rapidly. Sites put attacker-controlled content inside framed gadgets or advertisements, and can't be reasonably expected to understand that if such a frame is navigated to in a particular way, it may circumvent an origin-scoped check. /mz
Received on Wednesday, 4 April 2012 22:25:11 UTC