- From: Brian Bober <netdemonz@yahoo.com>
- Date: Thu, 28 Feb 2002 23:24:08 -0500
- To: <www-html@w3.org>, <www-dom@w3.org>
- Cc: <BDGray@uwyo.edu>
Benjamin D. Gray: The URI of the document within the frame is not readable by the document outside the frame. Phillipe: at least the document outside the frame should have some way of knowing that the frame's URI was change. I don't know if this is currently in the standard or not. I don't see how this is a huge security risk. Any information that should be secured (passwords, etc) shouldn't be put in the URI of a document. As for passwords to servers, such as ftp://user:pass@blah, the user agent can strip the user:pass part of the URI. I could see many uses for this ability. For instance... An embedding application could show information like stocks, etc while you are browsing. A web page could do the same thing in a frame while you are browsing in another frame. It could then show in a textarea where you are and you could even enter new URIs in the textarea and press Go, etc. If you think it's too much of a security risk to be able to do this, then what about being able to use the src attribute of the frame indirectly, such as copying it to a textarea, etc - but not being able to record it? When you write to the textarea, the textarea could be marked as no longer readable by the page until its cleared. -----Original Message----- From: www-dom-request@w3.org [mailto:www-dom-request@w3.org] On Behalf Of Philippe Le Hegaret Sent: Monday, February 11, 2002 2:16 PM To: Brian Bober Cc: www-html@w3.org; WWW DOM Subject: Re: src attribute of IFRAME and FRAME On Sun, 2001-12-02 at 23:38, Brian Bober wrote: > HTML and DOM stickers: > > Please CC me on any replies. > > 1) Frames > > In the HTML specs, it says that the src attribute should be the original > content of the frame, but it doesn't say whether you are allowed to > dynamically update it. If you aren't officially allowed to dynamically > update it, then it is an error with the standard, otherwise it is an > error with the documentation. You should be allowed to update frames in > DOM and if that isn't the intent of the DOM standard, then it needs to > be added. Is there any errata on this? For security reasons, it is important not to let the user access the URI of the other document. src is not dynamically updated and we don't plan to add a new attribute for that effect. Please, let us know if you are (or are not) satisfy with this decision, Philippe, for the DOM WG. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
Received on Thursday, 28 February 2002 23:24:15 UTC