[whatwg] Dealing with UI redress vulnerabilities inherent tothe current web

Kristof Zelechovski giecrilj at stegny.2a.pl
Mon Sep 29 05:59:40 PDT 2008


I am not sure I have understood Robert correctly but it seems obvious to me
that if a site does not want to reveal its origin it cannot apply for a
tighter cooperation; it will just be treated as any other site in the wild.
And it is better not to rely on the user agent to do the right thing if
possible.

Chris

 

  _____  

From: whatwg-bounces at lists.whatwg.org
[mailto:whatwg-bounces at lists.whatwg.org] On Behalf Of Robert O'Callahan
Sent: Monday, September 29, 2008 11:33 AM
To: Hallvord R M Steen
Cc: whatwg at lists.whatwg.org; Michal Zalewski; Smylers
Subject: Re: [whatwg] Dealing with UI redress vulnerabilities inherent tothe
current web

 

That's good to have and we should definitely do it, but there are a couple
of reasons "Same-Origin-Only-Unless-

Access-Controls-Says-Otherwise" would be useful as well:
-- a bit simpler to implement on the server
-- for privacy reasons some UAs in some situations might not want to expose
the origin to the IFRAME's server; allowing the origin check to happen on
the client would handle that

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080929/7f052039/attachment.htm>


More information about the whatwg mailing list