- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 18 Jan 2013 14:40:17 +0100
- To: Markus Ernst <derernst@gmx.ch>
- Cc: whatwg@whatwg.org, Nasko Oskov <nasko@chromium.org>
On Tue, Jan 15, 2013 at 2:44 PM, Markus Ernst <derernst@gmx.ch> wrote: > The allow-seamless mechanism is to be triggered at the side of the embedded > resource, which would also be the one affected by possible security risks > (if I get this right). The developer of this resource will have to be aware > of these risks, and avoid to expose critical stuff in pages that allow > seamless embedding. > > So, would it be possible to generally treat resources that allow seamless > embedding as same-origin from the security POV? No. And "AllowSameOrigin" would not work either. Because of scripting one resource granting such access means exposing the entire origin to attacks. -- http://annevankesteren.nl/
Received on Friday, 18 January 2013 13:40:42 UTC