[whatwg] iframe sandbox allow-bottom-navigation
nick at iss.im
Mon Sep 6 12:46:02 PDT 2010
> allow-top-navigation only allows writing to the top frames location.
> The security vulnerability would be *reading* the location.
Hum... you are right. I just reread the specs and now I see that this
would be the top-down equivalent to *writing* to a child iframe using
src. I misread the specs believing you could *read* the top frame's
location, which by symmetry led me to believe that you could also
*read* from the top-down. My fault!
> What is a trusted source? There's no such thing in the web platform.
Except for the browser, at least theoretically. So if you could extend
this trust to the Webtop by guaranteeing that it's the top-most
authority, then just like the browser the Webtop could have access to
every children's history. So I guess the top-down/bottom-up symmetry
is not so symmetric after all!
Anyways, thanks for clearing this out!
More information about the whatwg