[whatwg] Communicating between different-origin frames
Adam Barth
w3c at adambarth.com
Wed Jul 14 14:04:12 PDT 2010
This is well-known
http://www.collinjackson.com/research/papers/fp801-jackson.pdf
but not a good idea (see Section 4.4):
http://www.adambarth.com/papers/2009/barth-weinberger-song.pdf
Adam
On Wed, Jul 14, 2010 at 2:39 AM, James Graham <jgraham at opera.com> wrote:
> Following some discussion of [1], it was pointed out to me that it is
> possible to make two pages on separate subdomains communicate without either
> setting their document.domain by proxing the communication through pages
> that have set their document.domain. There is a demo of this at [2].
>
> I'm not sure if this is already well-known nor whether it is harmless or
> not.
>
> [1]
> http://my.opera.com/hallvors/blog/2010/07/13/ebay-versus-security-policy-consistency
> [2] http://sloth.whyi.org/~jl/cross-domain.html
>
More information about the whatwg
mailing list