- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 12 Apr 2012 12:42:15 -0700
Would this be transitive? Suppose A allows B with CORS and B allows C. What happens when C includes a frame to B and B includes a frame to A? Can C access A? Based on your description, it sounds like "yes", but there's widespread evidence that transitive trust is problematic. Adam On Thu, Apr 12, 2012 at 12:30 PM, Ojan Vafai <ojan at chromium.org> wrote: > We should add a crossorigin property on iframe that causes the request to > use CORS. If it's an allowed cross-domain request, then the page should > have access to the DOM of the frame. > > Also, seamless should work (assuming the CORS request succeeded of > course). One tricky thing here is that seamless needs to stop working if > the frame is navigated to a different origin to which it does not have CORS > access. > > Ojan
Received on Thursday, 12 April 2012 12:42:15 UTC