[whatwg] iframe sandbox allow-bottom-navigation

Adam Barth w3c at adambarth.com
Mon Sep 6 12:11:20 PDT 2010


On Mon, Sep 6, 2010 at 11:48 AM, Nick Vidal <nick at iss.im> wrote:
>>> By bookmark, I mean the Webtop being able to read the current location
>>> of the website and saving that to the server-side. By save a session,
>>> I mean the Webtop being able to read the location of all iframes it
>>> created and saving that to the server-side for later retrieval.
>>
>> Reading the location of an iframe across origins is a security
>> vulnerability.  We're not going to allow that.  You're of course free
>> to remember where you directed the frame initially, but you won't be
>> able to figure out what URL the frame is currently displaying.
>
> Does it really represent a security vulnerability?

Yes.

> Even when the Webtop is a trusted-source?

What is a trusted source?  There's no such thing in the web platform.

> And if allow-bottom-navigation is a  vulnerability, wouldn't allow-top-navigation be one too?

allow-top-navigation only allows writing to the top frames location.
The security vulnerability would be *reading* the location.

Adam



More information about the whatwg mailing list