[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Kristof Zelechovski giecrilj at stegny.2a.pl
Fri Sep 26 08:27:48 PDT 2008


Prohibiting third-party embedded content would disable media embedded in
blogs.
Chris

-----Original Message-----
From: whatwg-bounces at lists.whatwg.org
[mailto:whatwg-bounces at lists.whatwg.org] On Behalf Of Elliotte Harold
Sent: Friday, September 26, 2008 5:21 PM
To: whatwg at lists.whatwg.org
Subject: Re: [whatwg] Dealing with UI redress vulnerabilities inherent to
the current web

6) Admit that iframes and 3rd party embedded content are broken by 
design. Eliminate the iframe element completely, and set browsers to 
*never* load content or communicate with any site except the primary URL 
of the page. No 3rd party cookies, no 3rd party images, no 3rd party 
frames, no 3rd party scripts, no 3rd party nothing. Everything on the 
page comes from the same host. No exceptions.

Simple. Secure. Easy to understand. Easy to implement.





More information about the whatwg mailing list