- From: Ryosuke Niwa <rniwa@webkit.org>
- Date: Tue, 17 Apr 2012 20:58:02 -0700
On Tue, Apr 17, 2012 at 8:35 PM, Dmitry Titov <dimich at chromium.org> wrote: > Would some sort of a same-origin policy help here? If both the iframe and > parent document are same origin, can it be done, at least for the > reparenting in the same JS execution block? Most (all?) of the security > issues were specifically cross-origin. > If I remember correctly, some of bugs we've had weren't about cross-origin iframes. It was about not being able to infer the correct origin in a detached iframe. So yes, they were cross-origin bugs because we ended up executing scripts we shouldn't be executing but that's not because iframes were cross-origin to begin with. But yes, there are a lot of assumptions in the code about not only iframes, > but most active objects to function only while they are connected all the > way through to the valid DOM. There is too many APIs (and new ones are > coming all the time) who pick up that assumption. It is not impossible, > just a lot of work. > I would go as far as to say it's practically impossible. - Ryosuke
Received on Tuesday, 17 April 2012 20:58:02 UTC