[whatwg] Proposal: location.parentOrigin
Ian Hickson
ian at hixie.ch
Tue Apr 3 18:54:14 PDT 2012
On Tue, 3 Apr 2012, Adam Barth wrote:
> On Tue, Apr 3, 2012 at 4:32 PM, Ian Hickson <ian at hixie.ch> wrote:
> > On Tue, 3 Apr 2012, Adam Barth wrote:
> >> Talking with some folks off-list, there are also use cases for knowing
> >> the origin of the top-most document.
> >
> > Could you elaborate on those use cases? (And also those for parent.origin,
> > though those seem more obvious, e.g. disabling features to protect against
> > clickjacking in unauthorised embeddings.)
>
> The use case is the same as in the previous email, specifically:
>
> ---8<---
> Some widgets want to behave differently depending on the context in
> which they are embedded. For example, a payment widget might want to
> send the user to a confirmation page for most web sites but might be
> confortable with a more streamlined user experience when embedded on a
> whitelist of sites with which they have a contractual relationship.
> --->8---
>
> The payment widget might care about all of its ancestors. For example,
> suppose the payment operator has a relationship with store.example.com.
> They might wish to fall back to using a confirmation page if
> store.example.com is embedded as a frame in another web site (e.g.,
> pintrest).
Why don't they just ask the parent frame for their parent's origin, since
they trust them?
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list