[whatwg] Same-origin checking for media elements

Silvia Pfeiffer silviapfeiffer1 at gmail.com
Tue Nov 11 21:26:19 PST 2008


On Wed, Nov 12, 2008 at 3:02 PM, Robert O'Callahan <robert at ocallahan.org> wrote:
> On Wed, Nov 12, 2008 at 4:22 PM, Tim Starling <tstarling at wikimedia.org>
> wrote:
>>
>> JavaScript already has measures along the lines of (2), in the context
>> of frames. The information a script can obtain about a frame from a
>> different origin is carefully restricted. I think that a similar
>> solution would be best. It has the advantage of consistency and proven
>> security.
>
>
> I would say it has a history of proven *insecurity*. Look at clickjacking
> for example.
>
> Anyway, having discussed this with Hixie and Maciej and others a bit on
> #whatwg, things seem to be leaning towards option 2.

While my gut feeling tells me that this is the right solution - would
you mind sharing some of the reasoning as discussed on irc?

Thanks,
Silvia.



More information about the whatwg mailing list