[whatwg] iframe sandbox allow-bottom-navigation
Adam Barth
w3c at adambarth.com
Mon Sep 6 12:11:20 PDT 2010
On Mon, Sep 6, 2010 at 11:48 AM, Nick Vidal <nick at iss.im> wrote:
>>> By bookmark, I mean the Webtop being able to read the current location
>>> of the website and saving that to the server-side. By save a session,
>>> I mean the Webtop being able to read the location of all iframes it
>>> created and saving that to the server-side for later retrieval.
>>
>> Reading the location of an iframe across origins is a security
>> vulnerability. We're not going to allow that. You're of course free
>> to remember where you directed the frame initially, but you won't be
>> able to figure out what URL the frame is currently displaying.
>
> Does it really represent a security vulnerability?
Yes.
> Even when the Webtop is a trusted-source?
What is a trusted source? There's no such thing in the web platform.
> And if allow-bottom-navigation is a vulnerability, wouldn't allow-top-navigation be one too?
allow-top-navigation only allows writing to the top frames location.
The security vulnerability would be *reading* the location.
Adam
More information about the whatwg
mailing list