[whatwg] Proposal: location.parentOrigin

Adam Barth w3c at adambarth.com
Tue Apr 3 16:48:46 PDT 2012


On Tue, Apr 3, 2012 at 4:32 PM, Ian Hickson <ian at hixie.ch> wrote:
> On Tue, 3 Apr 2012, Adam Barth wrote:
>> Talking with some folks off-list, there are also use cases for knowing
>> the origin of the top-most document.
>
> Could you elaborate on those use cases? (And also those for parent.origin,
> though those seem more obvious, e.g. disabling features to protect against
> clickjacking in unauthorised embeddings.)

The use case is the same as in the previous email, specifically:

---8<---
Some widgets want to behave differently depending on the context in
which they are embedded.  For example, a payment widget might want to
send the user to a confirmation page for most web sites but might be
confortable with a more streamlined user experience when embedded on a
whitelist of sites with which they have a contractual relationship.
--->8---

The payment widget might care about all of its ancestors.  For
example, suppose the payment operator has a relationship with
store.example.com.  They might wish to fall back to using a
confirmation page if store.example.com is embedded as a frame in
another web site (e.g., pintrest).

Adam


More information about the whatwg mailing list