[whatwg] Dealing with UI redress vulnerabilities inherent tothe current web

Kristof Zelechovski giecrilj at stegny.2a.pl
Fri Sep 26 01:01:15 PDT 2008


It seems the problem equally affects embedded objects can be loaded from a
different origin as well.

Chris

 

  _____  

From: whatwg-bounces at lists.whatwg.org
[mailto:whatwg-bounces at lists.whatwg.org] On Behalf Of Robert O'Callahan
Sent: Friday, September 26, 2008 3:31 AM
To: Michal Zalewski
Cc: Maciej Stachowiak; whatwg at lists.whatwg.org
Subject: Re: [whatwg] Dealing with UI redress vulnerabilities inherent tothe
current web

 

IMHO the basic problem here is allowing IFRAMEs to be cross-origin by
default. That causes many problems, some of which you know well, and others
you probably don't (e.g.
http://lists.w3.org/Archives/Public/www-svg/2008Sep/0112.html ). In fact, in
an ideal world, I think we'd default to same-origin restrictions on
everything --- IFRAMEs, images, scripts, etc --- and use a spec like Access
Controls to let sites opt-in to allowing their resources to be loaded from
specific other origins.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080926/093915be/attachment.htm>


More information about the whatwg mailing list