[whatwg] iframe sandbox allow-bottom-navigation

Nick Vidal nick at iss.im
Mon Sep 6 11:48:17 PDT 2010

>> By bookmark, I mean the Webtop being able to read the current location
>> of the website and saving that to the server-side. By save a session,
>> I mean the Webtop being able to read the location of all iframes it
>> created and saving that to the server-side for later retrieval.
> Reading the location of an iframe across origins is a security
> vulnerability.  We're not going to allow that.  You're of course free
> to remember where you directed the frame initially, but you won't be
> able to figure out what URL the frame is currently displaying.

Does it really represent a security vulnerability? Even when the
Webtop is a trusted-source? And if allow-bottom-navigation is a
vulnerability, wouldn't allow-top-navigation be one too?

More information about the whatwg mailing list