[whatwg] Dealing with UI redress vulnerabilities inherent tothe current web
giecrilj at stegny.2a.pl
Fri Sep 26 01:01:15 PDT 2008
It seems the problem equally affects embedded objects can be loaded from a
different origin as well.
From: whatwg-bounces at lists.whatwg.org
[mailto:whatwg-bounces at lists.whatwg.org] On Behalf Of Robert O'Callahan
Sent: Friday, September 26, 2008 3:31 AM
To: Michal Zalewski
Cc: Maciej Stachowiak; whatwg at lists.whatwg.org
Subject: Re: [whatwg] Dealing with UI redress vulnerabilities inherent tothe
IMHO the basic problem here is allowing IFRAMEs to be cross-origin by
default. That causes many problems, some of which you know well, and others
you probably don't (e.g.
http://lists.w3.org/Archives/Public/www-svg/2008Sep/0112.html ). In fact, in
an ideal world, I think we'd default to same-origin restrictions on
everything --- IFRAMEs, images, scripts, etc --- and use a spec like Access
Controls to let sites opt-in to allowing their resources to be loaded from
specific other origins.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the whatwg