RE: [www-html] Frame parent access control proposal (was: [ no su bject at all ]) from Brian on 2001-05-23 (www-html@w3.org from May 2001)

From: Brian <netdemonz@yahoo.com>
Date: Wed, 23 May 2001 16:53:21 -0400
To: <www-html@w3.org>
Message-ID: <DNEIIKMKALOBNJEACIHNGEOGCAAA.netdemonz@yahoo.com>

The security is, for instance, to stop a site from being able to get your
banks statement from inside a frame. Also, HTML and the DOM are so linked
that you can't talk about a security model without it pertaining to HTML and
the DOM.

-----Original Message-----
From: www-html-request@w3.org [mailto:www-html-request@w3.org]On Behalf
Of Dave J Woolley
Sent: Tuesday, May 22, 2001 6:16
To: www-html@w3.org
Subject: RE: [www-html] Frame parent access control proposal (was: [ no
su bject at all ])


> From:	Brian [SMTP:netdemonz@yahoo.com]
>
> I think that security should be included in the DOM and HTML, and it
> should
> address especially: cross-domain access of elements in IFrames, among
> other
> things.
>
	[DJW:]  Noting that all forms of frames are discouraged by
	HTML 4.0 and XHTML 1.0 and are not allowed at all by ISO HTML
	and XHTML 1.1, Iframe, in particular, is a form of link, and
	the W3C philosophy appears to be to encourage the web, which means,
	essentially, to encourage the use of off site links.

> http://bugzilla.mozilla.org/show_bug.cgi?id=64886
	[DJW:]
	The feature proposed here++ would best be implemented using link
elements
	(probably rev=), although it does imply a generalisation of a link
to
	all links with the same prefix.  If you were to do this, other types
	of links should implicitly created a friendly referencer
relationship, thus
	making it redundant for many well designed pages.

	As a pure HTML thing, it would seem to be more a copyright/deep
linking
	control feature than straught security.  It doesn't help for
non-HTML
	resources, and it doesn't help in suppressing banner advertising,
etc.

> Also, Windows should be included in the DOM.
>
	[DJW:]  I believe the position is that Windows are part of the
browser,
	not the document (author controlled multiple windows are again
discouraged/
	impossible under the same conditions as frames).  However, it does
seem that
	some standardisation is needed here, given their extensive use in
wild,
	so maybe W3C needs to create a graphical browser object model (or a
suite
	of browser object models).  However, this is the wrong list to
discuss object
	models.
[DJW:]
++The feature proposed is a new element that specifies realms permitted to
link to an HTML resource in a frame context, or permitted to link and be
treated
as equivalent for DOM security models.

--
--------------------------- DISCLAIMER ---------------------------------
Any views expressed in this message are those of the individual sender,
except where the sender specifically states them to be the views of BTS.


>


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

Received on Wednesday, 23 May 2001 16:53:22 UTC