[whatwg] crossorigin property on iframe

On 4/12/12 3:30 PM, Ojan Vafai wrote:
> We should add a crossorigin property on iframe that causes the request to
> use CORS.

Which request?  Just the @src load?  Or navigation of the frame via its 
Location object too?

> If it's an allowed cross-domain request, then the page should
> have access to the DOM of the frame.

Which page?  Just the page that embedded the frame?  Or any page?  This 
should presumably be an asymmetric access check, in that the subframe 
should not be able to access the parent frame DOM?

If this is done, it sounds like the code in the parent frame would have 
to be _very_ careful to avoid being attacked by the subframe.  We 
(Mozilla) have a fair amount of experience in this sort of setup: we 
have a parent frame (the browser UI) that can touch cross-origin 
subframes (web pages) with asymmetric security checks.  We've discovered 
over the years that unless the access is very carefully mediated in 
various ways it becomes trivial for the subframe to run script with the 
permissions of the embedding frame.

While it's possible, obviously, to spec out the exact mediation needed, 
I just want us to realize that this is NOT a small project that will 
require a line or two of spec text to get right.

-Boris

Received on Thursday, 12 April 2012 13:04:40 UTC