[whatwg] iframe sandbox allow-bottom-navigation

Nick Vidal nick at iss.im
Mon Sep 6 12:46:02 PDT 2010

Hi Adam,

> allow-top-navigation only allows writing to the top frames location.
> The security vulnerability would be *reading* the location.

Hum... you are right. I just reread the specs and now I see that this
would be the top-down equivalent to *writing* to a child iframe using
src. I misread the specs believing you could *read* the top frame's
location, which by symmetry led me to believe that you could also
*read* from the top-down. My fault!

> What is a trusted source?  There's no such thing in the web platform.

Except for the browser, at least theoretically. So if you could extend
this trust to the Webtop by guaranteeing that it's the top-most
authority, then just like the browser the Webtop could have access to
every children's history. So I guess the top-down/bottom-up symmetry
is not so symmetric after all!

Anyways, thanks for clearing this out!

Kind regards,

More information about the whatwg mailing list