[whatwg] Communicating between different-origin frames
Ian Hickson
ian at hixie.ch
Tue Aug 10 16:55:37 PDT 2010
On Wed, 14 Jul 2010, James Graham wrote:
>
> Following some discussion of [1], it was pointed out to me that it is
> possible to make two pages on separate subdomains communicate without
> either setting their document.domain by proxing the communication
> through pages that have set their document.domain. There is a demo of
> this at [2].
>
> I'm not sure if this is already well-known nor whether it is harmless or
> not.
>
> [1] http://my.opera.com/hallvors/blog/2010/07/13/ebay-versus-security-policy-consistency
> [2] http://sloth.whyi.org/~jl/cross-domain.html
On Wed, 14 Jul 2010, Adam Barth wrote:
>
> This is well-known
>
> http://www.collinjackson.com/research/papers/fp801-jackson.pdf
>
> but not a good idea (see Section 4.4):
>
> http://www.adambarth.com/papers/2009/barth-weinberger-song.pdf
I haven't changed the spec regarding this, since it's not clear what a
better solution would be. If anyone has a concrete proposal for what we
should require, please let me know.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list