- From: Johnny Stenback <jst@netscape.com>
- Date: Fri, 15 Mar 2002 17:09:26 -0800
- To: "Benjamin D. Gray" <BDGray@uwyo.edu>
- CC: www-html@w3.org, WWW DOM <www-dom@w3.org>, Brian Bober <netdemonz@yahoo.com>
No, the URI of the frame is never readable from a document unless the document comes from the same host that the frame comes from (unless you change document.domain). It doesn't matter if the document that is trying to access the src is the document that contains the frame. Imagine yourself browsing to evil.com and they put up a whole page frame and load some other site into that frame, from there on, evil.com could track what pages you're browsing in that window w/o you knowing it until you cause the surrounding frame to be unloaded. That would not be acceptable from a privacy point of view. Benjamin D. Gray wrote: > Is the URI of the document within the frame at least readable by the > surrounding frames or main document? > > Benjamin D. Gray > > -----Original Message----- > From: Philippe Le Hegaret [mailto:plh@w3.org] > Sent: Monday, February 11, 2002 12:16 pm > To: Brian Bober > Cc: www-html@w3.org; WWW DOM > Subject: Re: src attribute of IFRAME and FRAME > For security reasons, it is important not to let the user access the URI > of the other document. src is not dynamically updated and we don't plan > to add a new attribute for that effect. > > Please, let us know if you are (or are not) satisfy with this decision, > > Philippe, > for the DOM WG. > -- jst
Received on Friday, 15 March 2002 20:09:17 UTC