- From: Markus Ernst <derernst@gmx.ch>
- Date: Fri, 18 Jan 2013 17:07:31 +0100
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: whatwg@whatwg.org, Nasko Oskov <nasko@chromium.org>
Am 18.01.2013 14:40 schrieb Anne van Kesteren: > On Tue, Jan 15, 2013 at 2:44 PM, Markus Ernst <derernst@gmx.ch> wrote: >> The allow-seamless mechanism is to be triggered at the side of the embedded >> resource, which would also be the one affected by possible security risks >> (if I get this right). The developer of this resource will have to be aware >> of these risks, and avoid to expose critical stuff in pages that allow >> seamless embedding. >> >> So, would it be possible to generally treat resources that allow seamless >> embedding as same-origin from the security POV? > > No. And "AllowSameOrigin" would not work either. Because of scripting > one resource granting such access means exposing the entire origin to > attacks. > > I did not mean to merge origins, but to completely detach the included resource from its origin, and allocate it to the origin of the including document: - Document from A domain-A.com includes resource B from domain-B.com - Resource B has set AllowSameOrigin="domain-A.com" -> Document A and resource B can access each other as same-origin - Now Resource B tries to access resource C from domain-B.com - Resource C does not have AllowSameOrigin specified for domain-A.com -> Resource B cannot access resource C, as it would violate the same-origin policy. Resource B is treated as of origin domain-A.com. I don't know whether this is possible, but I think if yes, it would be an elegant solution to this topic.
Received on Friday, 18 January 2013 16:08:05 UTC