[whatwg] iframe sandbox allow-bottom-navigation
Nick Vidal
nick at iss.im
Mon Sep 6 11:48:17 PDT 2010
>> By bookmark, I mean the Webtop being able to read the current location
>> of the website and saving that to the server-side. By save a session,
>> I mean the Webtop being able to read the location of all iframes it
>> created and saving that to the server-side for later retrieval.
>
> Reading the location of an iframe across origins is a security
> vulnerability. We're not going to allow that. You're of course free
> to remember where you directed the frame initially, but you won't be
> able to figure out what URL the frame is currently displaying.
Does it really represent a security vulnerability? Even when the
Webtop is a trusted-source? And if allow-bottom-navigation is a
vulnerability, wouldn't allow-top-navigation be one too?
More information about the whatwg
mailing list